[kernel] r17930 - in dists/squeeze-security/linux-2.6/debian/patches: bugfix/all series
Dann Frazier
dannf at alioth.debian.org
Mon Aug 15 06:06:40 UTC 2011
Author: dannf
Date: Mon Aug 15 06:06:38 2011
New Revision: 17930
Log:
Add missing change for CVE-2011-2495
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
Modified:
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-fix-a-race-in-do_io_accounting.patch Mon Aug 15 06:06:38 2011 (r17930)
@@ -0,0 +1,72 @@
+commit 293eb1e7772b25a93647c798c7b89bf26c2da2e0
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Tue Jul 26 16:08:38 2011 -0700
+
+ proc: fix a race in do_io_accounting()
+
+ If an inode's mode permits opening /proc/PID/io and the resulting file
+ descriptor is kept across execve() of a setuid or similar binary, the
+ ptrace_may_access() check tries to prevent using this fd against the
+ task with escalated privileges.
+
+ Unfortunately, there is a race in the check against execve(). If
+ execve() is processed after the ptrace check, but before the actual io
+ information gathering, io statistics will be gathered from the
+ privileged process. At least in theory this might lead to gathering
+ sensible information (like ssh/ftp password length) that wouldn't be
+ available otherwise.
+
+ Holding task->signal->cred_guard_mutex while gathering the io
+ information should protect against the race.
+
+ The order of locking is similar to the one inside of ptrace_attach():
+ first goes cred_guard_mutex, then lock_task_sighand().
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Cc: Al Viro <viro at zeniv.linux.org.uk>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c9e3f65..08e3ecc 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2706,9 +2706,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ {
+ struct task_io_accounting acct = task->ioac;
+ unsigned long flags;
++ int result;
+
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- return -EACCES;
++ result = mutex_lock_killable(&task->signal->cred_guard_mutex);
++ if (result)
++ return result;
++
++ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
++ result = -EACCES;
++ goto out_unlock;
++ }
+
+ if (whole && lock_task_sighand(task, &flags)) {
+ struct task_struct *t = task;
+@@ -2719,7 +2726,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+
+ unlock_task_sighand(task, &flags);
+ }
+- return sprintf(buffer,
++ result = sprintf(buffer,
+ "rchar: %llu\n"
+ "wchar: %llu\n"
+ "syscr: %llu\n"
+@@ -2734,6 +2741,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
+ (unsigned long long)acct.read_bytes,
+ (unsigned long long)acct.write_bytes,
+ (unsigned long long)acct.cancelled_write_bytes);
++out_unlock:
++ mutex_unlock(&task->signal->cred_guard_mutex);
++ return result;
+ }
+
+ static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 06:06:28 2011 (r17929)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 06:06:38 2011 (r17930)
@@ -6,6 +6,7 @@
+ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
+ bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
+ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/proc-fix-a-race-in-do_io_accounting.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
+ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
More information about the Kernel-svn-changes
mailing list