[kernel] r17912 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 12 00:52:57 UTC 2011
Author: dannf
Date: Fri Aug 12 00:52:55 2011
New Revision: 17912
Log:
proc: restrict access to /proc/PID/io (CVE-2011-2495)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Thu Aug 11 18:51:41 2011 (r17911)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 00:52:55 2011 (r17912)
@@ -6,6 +6,7 @@
* taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
* Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
+ * proc: restrict access to /proc/PID/io (CVE-2011-2495)
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch Fri Aug 12 00:52:55 2011 (r17912)
@@ -0,0 +1,50 @@
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Jun 24 16:08:38 2011 +0400
+
+ proc: restrict access to /proc/PID/io
+
+ /proc/PID/io may be used for gathering private information. E.g. for
+ openssh and vsftpd daemons wchars/rchars may be used to learn the
+ precise password length. Restrict it to processes being able to ptrace
+ the target process.
+
+ ptrace_may_access() is needed to prevent keeping open file descriptor of
+ "io" file, executing setuid binary and gathering io information of the
+ setuid'ed process.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 8a84210..fc5bc27 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2708,6 +2708,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ struct task_io_accounting acct = task->ioac;
+ unsigned long flags;
+
++ if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ return -EACCES;
++
+ if (whole && lock_task_sighand(task, &flags)) {
+ struct task_struct *t = task;
+
+@@ -2839,7 +2842,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+- INF("io", S_IRUGO, proc_tgid_io_accounting),
++ INF("io", S_IRUSR, proc_tgid_io_accounting),
+ #endif
+ #ifdef CONFIG_HARDWALL
+ INF("hardwall", S_IRUGO, proc_pid_hardwall),
+@@ -3181,7 +3184,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+- INF("io", S_IRUGO, proc_tid_io_accounting),
++ INF("io", S_IRUSR, proc_tid_io_accounting),
+ #endif
+ #ifdef CONFIG_HARDWALL
+ INF("hardwall", S_IRUGO, proc_pid_hardwall),
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Thu Aug 11 18:51:41 2011 (r17911)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 00:52:55 2011 (r17912)
@@ -5,3 +5,4 @@
+ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
+ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
+ bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
++ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
More information about the Kernel-svn-changes
mailing list