[kernel] r15261 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Tue Feb 23 00:36:45 UTC 2010

Author: dannf
Date: Tue Feb 23 00:36:42 2010
New Revision: 15261

Log:
Replace fix for CVE-2009-2691 w/ upstreamed version

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch3

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Tue Feb 23 00:22:25 2010	(r15260)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Tue Feb 23 00:36:42 2010	(r15261)
@@ -3,6 +3,7 @@
   * Fix a patch offset issue that resulted in a build failure when
     CONFIG_SECURITY=n (this is only true for powerpc).
   * Build fix for CVE-2010-0291 change on powerpc64
+  * Replace fix for CVE-2009-2691 w/ upstreamed version
 
  -- dann frazier <dannf at debian.org>  Fri, 19 Feb 2010 18:16:36 -0700
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch	Tue Feb 23 00:36:42 2010	(r15261)
@@ -0,0 +1,49 @@
+diff -urpN linux-source-2.6.24.orig/fs/proc/base.c linux-source-2.6.24/fs/proc/base.c
+--- linux-source-2.6.24.orig/fs/proc/base.c	2010-02-22 17:31:39.000000000 -0700
++++ linux-source-2.6.24/fs/proc/base.c	2010-02-22 17:32:37.000000000 -0700
+@@ -205,9 +205,8 @@ static int proc_root_link(struct inode *
+ struct mm_struct *mm_for_maps(struct task_struct *task)
+ {
+ 	struct mm_struct *mm = get_task_mm(task);
+-	if (!mm)
+-		return NULL;
+-	if (mm != current->mm) {
++
++	if (mm && mm != current->mm) {
+ 		/*
+ 		 * task->mm can be changed before security check,
+ 		 * in that case we must notice the change after.
+@@ -215,10 +214,9 @@ struct mm_struct *mm_for_maps(struct tas
+ 		if (!ptrace_may_attach(task) ||
+ 		    mm != task->mm) {
+ 			mmput(mm);
+-			return NULL;
++			mm = NULL;
+ 		}
+ 	}
+-	down_read(&mm->mmap_sem);
+ 	return mm;
+ }
+ 
+diff -urpN linux-source-2.6.24.orig/fs/proc/task_mmu.c linux-source-2.6.24/fs/proc/task_mmu.c
+--- linux-source-2.6.24.orig/fs/proc/task_mmu.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/proc/task_mmu.c	2010-02-22 17:32:37.000000000 -0700
+@@ -392,6 +392,7 @@ static void *m_start(struct seq_file *m,
+ 
+ 	if (last_addr == -1UL)
+ 		return NULL;
++	down_read(&mm->mmap_sem);
+ 
+ 	priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
+ 	if (!priv->task)
+diff -urpN linux-source-2.6.24.orig/fs/proc/task_nommu.c linux-source-2.6.24/fs/proc/task_nommu.c
+--- linux-source-2.6.24.orig/fs/proc/task_nommu.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/proc/task_nommu.c	2010-02-22 17:32:37.000000000 -0700
+@@ -171,6 +171,7 @@ static void *m_start(struct seq_file *m,
+ 		priv->task = NULL;
+ 		return NULL;
+ 	}
++	down_read(&mm->mmap_sem);
+ 
+ 	/* start from the Nth VMA */
+ 	for (vml = mm->context.vmlist; vml; vml = vml->next)

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch	Tue Feb 23 00:36:42 2010	(r15261)
@@ -0,0 +1,34 @@
+diff -urpN linux-source-2.6.24.orig/fs/proc/base.c linux-source-2.6.24/fs/proc/base.c
+--- linux-source-2.6.24.orig/fs/proc/base.c	2010-02-22 17:31:00.000000000 -0700
++++ linux-source-2.6.24/fs/proc/base.c	2010-02-22 17:31:39.000000000 -0700
+@@ -207,19 +207,19 @@ struct mm_struct *mm_for_maps(struct tas
+ 	struct mm_struct *mm = get_task_mm(task);
+ 	if (!mm)
+ 		return NULL;
++	if (mm != current->mm) {
++		/*
++		 * task->mm can be changed before security check,
++		 * in that case we must notice the change after.
++		 */
++		if (!ptrace_may_attach(task) ||
++		    mm != task->mm) {
++			mmput(mm);
++			return NULL;
++		}
++	}
+ 	down_read(&mm->mmap_sem);
+-	task_lock(task);
+-	if (task->mm != mm)
+-		goto out;
+-	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+-		goto out;
+-	task_unlock(task);
+ 	return mm;
+-out:
+-	task_unlock(task);
+-	up_read(&mm->mmap_sem);
+-	mmput(mm);
+-	return NULL;
+ }
+ 
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch3
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch3	Tue Feb 23 00:22:25 2010	(r15260)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch3	Tue Feb 23 00:36:42 2010	(r15261)
@@ -1,2 +1,5 @@
 + bugfix/all/security-mmap-fix-patch-offset.patch
 + bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch
+- bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
++ bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
++ bugfix/all/mm_for_maps-shift-down_read-to-caller.patch

