[kernel] r17930 - in dists/squeeze-security/linux-2.6/debian/patches: bugfix/all series

Mon Aug 15 06:06:40 UTC 2011

Author: dannf
Date: Mon Aug 15 06:06:38 2011
New Revision: 17930

Log:
Add missing change for CVE-2011-2495

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch	Mon Aug 15 06:06:38 2011	(r17930)
@@ -0,0 +1,72 @@
+commit 293eb1e7772b25a93647c798c7b89bf26c2da2e0
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Tue Jul 26 16:08:38 2011 -0700
+
+    proc: fix a race in do_io_accounting()
+    
+    If an inode's mode permits opening /proc/PID/io and the resulting file
+    descriptor is kept across execve() of a setuid or similar binary, the
+    ptrace_may_access() check tries to prevent using this fd against the
+    task with escalated privileges.
+    
+    Unfortunately, there is a race in the check against execve().  If
+    execve() is processed after the ptrace check, but before the actual io
+    information gathering, io statistics will be gathered from the
+    privileged process.  At least in theory this might lead to gathering
+    sensible information (like ssh/ftp password length) that wouldn't be
+    available otherwise.
+    
+    Holding task->signal->cred_guard_mutex while gathering the io
+    information should protect against the race.
+    
+    The order of locking is similar to the one inside of ptrace_attach():
+    first goes cred_guard_mutex, then lock_task_sighand().
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Cc: Al Viro <viro at zeniv.linux.org.uk>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c9e3f65..08e3ecc 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2706,9 +2706,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ {
+ 	struct task_io_accounting acct = task->ioac;
+ 	unsigned long flags;
++	int result;
+ 
+-	if (!ptrace_may_access(task, PTRACE_MODE_READ))
+-		return -EACCES;
++	result = mutex_lock_killable(&task->signal->cred_guard_mutex);
++	if (result)
++		return result;
++
++	if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
++		result = -EACCES;
++		goto out_unlock;
++	}
+ 
+ 	if (whole && lock_task_sighand(task, &flags)) {
+ 		struct task_struct *t = task;
+@@ -2719,7 +2726,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ 
+ 		unlock_task_sighand(task, &flags);
+ 	}
+-	return sprintf(buffer,
++	result = sprintf(buffer,
+ 			"rchar: %llu\n"
+ 			"wchar: %llu\n"
+ 			"syscr: %llu\n"
+@@ -2734,6 +2741,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ 			(unsigned long long)acct.read_bytes,
+ 			(unsigned long long)acct.write_bytes,
+ 			(unsigned long long)acct.cancelled_write_bytes);
++out_unlock:
++	mutex_unlock(&task->signal->cred_guard_mutex);
++	return result;
+ }
+ 
+ static int proc_tid_io_accounting(struct task_struct *task, char *buffer)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 06:06:28 2011	(r17929)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 06:06:38 2011	(r17930)
@@ -6,6 +6,7 @@
 + bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
 + bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
 + bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
 + bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch

