[kernel] r15259 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Feb 22 23:40:15 UTC 2010
Author: dannf
Date: Mon Feb 22 23:40:13 2010
New Revision: 15259
Log:
Replace fix for CVE-2009-2691 w/ upstreamed version (Closes: #570554)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Feb 22 23:05:50 2010 (r15258)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Feb 22 23:40:13 2010 (r15259)
@@ -4,6 +4,7 @@
* mmap: cleanup compiler warnings from CVE-2010-0291 fixes
* x86: set_personality_ia32() misses force_personality32, an additional
fix for CVE-2010-0307
+ * Replace fix for CVE-2009-2691 w/ upstreamed version (Closes: #570554)
-- dann frazier <dannf at debian.org> Thu, 11 Feb 2010 17:14:23 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch Mon Feb 22 23:40:13 2010 (r15259)
@@ -0,0 +1,65 @@
+commit b30527a4d924827faae5c2eda92d7ceaec41ae68
+Author: dann frazier <dannf at hp.com>
+Date: Sat Feb 20 12:21:38 2010 -0700
+
+ [Backported to Debian's 2.6.26]
+ commit 60634e4b830850bb38016f1e6a7a7358eba8118c
+ Author: Oleg Nesterov <oleg at redhat.com>
+ Date: Fri Jul 10 03:27:38 2009 +0200
+
+ mm_for_maps: shift down_read(mmap_sem) to the caller
+
+ commit 00f89d218523b9bf6b522349c039d5ac80aa536d upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 51e7188..2d6f1c4 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -245,9 +245,8 @@ static int check_mem_permission(struct task_struct *task)
+ struct mm_struct *mm_for_maps(struct task_struct *task)
+ {
+ struct mm_struct *mm = get_task_mm(task);
+- if (!mm)
+- return NULL;
+- if (mm != current->mm) {
++
++ if (mm && mm != current->mm) {
+ /*
+ * task->mm can be changed before security check,
+ * in that case we must notice the change after.
+@@ -255,10 +254,9 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ if (!ptrace_may_attach(task) ||
+ mm != task->mm) {
+ mmput(mm);
+- return NULL;
++ mm = NULL;
+ }
+ }
+- down_read(&mm->mmap_sem);
+ return mm;
+ }
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2bb6eb6..2819fcb 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ mm = mm_for_maps(priv->task);
+ if (!mm)
+ return NULL;
++ down_read(&mm->mmap_sem);
+
+ tail_vma = get_gate_vma(priv->task);
+ priv->tail_vma = tail_vma;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 4b4f9cc..5b4a574 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -137,6 +137,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ priv->task = NULL;
+ return NULL;
+ }
++ down_read(&mm->mmap_sem);
+
+ /* start from the Nth VMA */
+ for (vml = mm->context.vmlist; vml; vml = vml->next)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch Mon Feb 22 23:40:13 2010 (r15259)
@@ -0,0 +1,48 @@
+commit 19f0a28fc4adf05a06f47835ca4e2e33da2a321b
+Author: dann frazier <dannf at hp.com>
+Date: Sat Feb 20 12:20:50 2010 -0700
+
+ [Backported to Debian's 2.6.26]
+ commit a79c30e57c0eac03aae8be4649958f8592141d20
+ Author: Oleg Nesterov <oleg at redhat.com>
+ Date: Tue Jun 23 21:25:32 2009 +0200
+
+ mm_for_maps: simplify, use ptrace_may_access()
+
+ commit 13f0feafa6b8aead57a2a328e2fca6a5828bf286 upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 3b45537..51e7188 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -247,19 +247,19 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ return NULL;
++ if (mm != current->mm) {
++ /*
++ * task->mm can be changed before security check,
++ * in that case we must notice the change after.
++ */
++ if (!ptrace_may_attach(task) ||
++ mm != task->mm) {
++ mmput(mm);
++ return NULL;
++ }
++ }
+ down_read(&mm->mmap_sem);
+- task_lock(task);
+- if (task->mm != mm)
+- goto out;
+- if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+- goto out;
+- task_unlock(task);
+ return mm;
+-out:
+- task_unlock(task);
+- up_read(&mm->mmap_sem);
+- mmput(mm);
+- return NULL;
+ }
+
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny4 Mon Feb 22 23:05:50 2010 (r15258)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny4 Mon Feb 22 23:40:13 2010 (r15259)
@@ -1,3 +1,6 @@
+ bugfix/all/futex-handle-user-space-corruption-gracefully.patch
+ bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
+ bugfix/x86/set_personality_ia32-misses-force_personality32.patch
+- bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
++ bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
++ bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
More information about the Kernel-svn-changes
mailing list