[kernel] r17912 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Fri Aug 12 00:52:57 UTC 2011

Author: dannf
Date: Fri Aug 12 00:52:55 2011
New Revision: 17912

Log:
proc: restrict access to /proc/PID/io (CVE-2011-2495)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 18:51:41 2011	(r17911)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Fri Aug 12 00:52:55 2011	(r17912)
@@ -6,6 +6,7 @@
   * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
   * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
+  * proc: restrict access to /proc/PID/io (CVE-2011-2495)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch	Fri Aug 12 00:52:55 2011	(r17912)
@@ -0,0 +1,50 @@
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Fri Jun 24 16:08:38 2011 +0400
+
+    proc: restrict access to /proc/PID/io
+    
+    /proc/PID/io may be used for gathering private information.  E.g.  for
+    openssh and vsftpd daemons wchars/rchars may be used to learn the
+    precise password length.  Restrict it to processes being able to ptrace
+    the target process.
+    
+    ptrace_may_access() is needed to prevent keeping open file descriptor of
+    "io" file, executing setuid binary and gathering io information of the
+    setuid'ed process.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 8a84210..fc5bc27 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2708,6 +2708,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ 	struct task_io_accounting acct = task->ioac;
+ 	unsigned long flags;
+ 
++	if (!ptrace_may_access(task, PTRACE_MODE_READ))
++		return -EACCES;
++
+ 	if (whole && lock_task_sighand(task, &flags)) {
+ 		struct task_struct *t = task;
+ 
+@@ -2839,7 +2842,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ 	REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tgid_io_accounting),
++	INF("io",	S_IRUSR, proc_tgid_io_accounting),
+ #endif
+ #ifdef CONFIG_HARDWALL
+ 	INF("hardwall",   S_IRUGO, proc_pid_hardwall),
+@@ -3181,7 +3184,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ 	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tid_io_accounting),
++	INF("io",	S_IRUSR, proc_tid_io_accounting),
+ #endif
+ #ifdef CONFIG_HARDWALL
+ 	INF("hardwall",   S_IRUGO, proc_pid_hardwall),

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 18:51:41 2011	(r17911)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Fri Aug 12 00:52:55 2011	(r17912)
@@ -5,3 +5,4 @@
 + debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
 + bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
 + bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
++ bugfix/all/proc-restrict-access-to-proc-pid-io.patch

