[kernel] r17885 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 4 05:31:22 UTC 2011 

Author: dannf
Date: Thu Aug  4 05:31:21 2011
New Revision: 17885

Log:
taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug  4 05:27:42 2011	(r17884)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug  4 05:31:21 2011	(r17885)
@@ -2,6 +2,7 @@
 
   * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
   * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
+  * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
 
  -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:31:53 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch	Thu Aug  4 05:31:21 2011	(r17885)
@@ -0,0 +1,80 @@
+From 26c4caea9d697043cc5a458b96411b86d7f6babd Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon, 27 Jun 2011 16:18:11 -0700
+Subject: taskstats: don't allow duplicate entries in listener mode
+
+From: Vasiliy Kulikov <segoon at openwall.com>
+
+commit 26c4caea9d697043cc5a458b96411b86d7f6babd upstream.
+
+Currently a single process may register exit handlers unlimited times.
+It may lead to a bloated listeners chain and very slow process
+terminations.
+
+Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
+kernel memory is stolen for the handlers chain and "time id" shows 2-7
+seconds instead of normal 0.003.  It makes it possible to exhaust all
+kernel memory and to eat much of CPU time by triggerring numerous exits
+on a single CPU.
+
+The patch limits the number of times a single process may register
+itself on a single CPU to one.
+
+One little issue is kept unfixed - as taskstats_exit() is called before
+exit_files() in do_exit(), the orphaned listener entry (if it was not
+explicitly deregistered) is kept until the next someone's exit() and
+implicit deregistration in send_cpu_listeners().  So, if a process
+registered itself as a listener exits and the next spawned process gets
+the same pid, it would inherit taskstats attributes.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Cc: Balbir Singh <bsingharora at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ kernel/taskstats.c |   15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -293,16 +293,18 @@ ret:
+ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
+ {
+ 	struct listener_list *listeners;
+-	struct listener *s, *tmp;
++	struct listener *s, *tmp, *s2;
+ 	unsigned int cpu;
+ 
+ 	if (!cpumask_subset(mask, cpu_possible_mask))
+ 		return -EINVAL;
+ 
++	s = NULL;
+ 	if (isadd == REGISTER) {
+ 		for_each_cpu(cpu, mask) {
+-			s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
+-					 cpu_to_node(cpu));
++			if (!s)
++				s = kmalloc_node(sizeof(struct listener),
++						 GFP_KERNEL, cpu_to_node(cpu));
+ 			if (!s)
+ 				goto cleanup;
+ 			s->pid = pid;
+@@ -311,9 +313,16 @@ static int add_del_listener(pid_t pid, c
+ 
+ 			listeners = &per_cpu(listener_array, cpu);
+ 			down_write(&listeners->sem);
++			list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
++				if (s2->pid == pid)
++					goto next_cpu;
++			}
+ 			list_add(&s->list, &listeners->list);
++			s = NULL;
++next_cpu:
+ 			up_write(&listeners->sem);
+ 		}
++		kfree(s);
+ 		return 0;
+ 	}
+ 

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug  4 05:27:42 2011	(r17884)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug  4 05:31:21 2011	(r17885)
@@ -1,2 +1,3 @@
 + bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
 + bugfix/all/net-fix-memory-leak+corruption-on-VLAN-GRO_DROP.patch
++ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch

More information about the Kernel-svn-changes mailing list