[kernel] r15989 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/features/all/openvz patches/series

Ben Hutchings benh at alioth.debian.org
Fri Jul 16 02:32:42 UTC 2010 

Author: benh
Date: Fri Jul 16 02:32:39 2010
New Revision: 15989

Log:
exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179)

This fixes a regression introduced by the fix for CVE-2010-0307,
split-flush_old_exec-into-two-functions.patch

Adjust context in openvz.patch

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Thu Jul 15 23:03:46 2010	(r15988)
+++ dists/lenny/linux-2.6/debian/changelog	Fri Jul 16 02:32:39 2010	(r15989)
@@ -2,6 +2,8 @@
 
   [ Ben Hutchings ]
   * pid_ns: Ensure that child_reaper is always valid (Closes: #570350)
+  * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
+    regression due to fix for CVE-2010-0307)
 
   [ Moritz Muehlenhoff ]
   * parport: quickfix the proc registration bug (Closes: #588672)

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch	Fri Jul 16 02:32:39 2010	(r15989)
@@ -0,0 +1,63 @@
+From 7ad2dabd30866715de71b2d3f0be136c0a26b3bd Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 2 Feb 2010 12:37:44 -0800
+Subject: [PATCH] Fix 'flush_old_exec()/setup_new_exec()' split
+
+commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream.
+
+Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
+the function at the point of no return - ie right where there were no
+more error cases to check.  That made sense from a technical standpoint,
+but when we then also combined it with the actual personality setting
+going in between flush_old_exec() and setup_new_exec(), it needs to be a
+bit more careful.
+
+In particular, we need to make sure that we really flush the old
+personality bits in the 'flush' stage, rather than later in the 'setup'
+stage, since otherwise we might be flushing the _new_ personality state
+that we're just setting up.
+
+So this moves the flags and personality flushing (and 'flush_thread()',
+which is the arch-specific function that generally resets lazy FP state
+etc) of the old process into flush_old_exec(), so that it doesn't affect
+any state that execve() is setting up for the new process environment.
+
+This was reported by Michal Simek as breaking his Microblaze qemu
+environment.
+
+Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
+Cc: Peter Anvin <hpa at zytor.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.26]
+---
+ fs/exec.c |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f12ede3..164ac13 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -967,6 +967,10 @@ int flush_old_exec(struct linux_binprm * bprm)
+ 		goto out;
+ 
+ 	bprm->mm = NULL;		/* We're using it now */
++
++	current->flags &= ~PF_RANDOMIZE;
++	flush_thread();
++
+ 	return 0;
+ 
+ out:
+@@ -1003,9 +1007,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ 	tcomm[i] = '\0';
+ 	set_task_comm(current, tcomm);
+ 
+-	current->flags &= ~PF_RANDOMIZE;
+-	flush_thread();
+-
+ 	/* Set the new mm task size. We have to do that late because it may
+ 	 * depend on TIF_32BIT which is only updated in flush_thread() on
+ 	 * some architectures like powerpc
+-- 
+1.7.1
+

Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Thu Jul 15 23:03:46 2010	(r15988)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Jul 16 02:32:39 2010	(r15989)
@@ -7875,9 +7875,9 @@
  		goto out;
  
 -	bprm->mm = NULL;		/* We're using it now */
- 	return 0;
  
- out:
+ 	current->flags &= ~PF_RANDOMIZE;
+ 	flush_thread();
 @@ -1275,6 +1303,10 @@ int do_execve(char * filename,
  	struct files_struct *displaced;
  	int retval;

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Thu Jul 15 23:03:46 2010	(r15988)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Fri Jul 16 02:32:39 2010	(r15989)
@@ -1,4 +1,4 @@
 + bugfix/all/pid_ns-zap_pid_ns_processes-fix-the-child_reaper.patch
 + bugfix/all/pid_ns-change-child_reaper-when-init-group_leader-exits.patch
 + bugfix/all/parport-quickfix-proc-registration.patch
-
++ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch

More information about the Kernel-svn-changes mailing list