[kernel] r17940 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Aug 16 05:37:24 UTC 2011 

Author: dannf
Date: Tue Aug 16 05:37:22 2011
New Revision: 17940

Log:
taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny4

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Tue Aug 16 05:01:48 2011	(r17939)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Aug 16 05:37:22 2011	(r17940)
@@ -2,6 +2,7 @@
 
   [ dann frazier ]
   * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
+  * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
 
   [ Moritz Muehlenhoff ]
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
@@ -10,7 +11,7 @@
   * inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213)	
   * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace
     (CVE-2011-2492)
- 	
+
  -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:45:03 -0600
 
 linux-2.6 (2.6.26-26lenny3) oldstable-security; urgency=high

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch	Tue Aug 16 05:37:22 2011	(r17940)
@@ -0,0 +1,80 @@
+From 26c4caea9d697043cc5a458b96411b86d7f6babd Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon, 27 Jun 2011 16:18:11 -0700
+Subject: taskstats: don't allow duplicate entries in listener mode
+
+From: Vasiliy Kulikov <segoon at openwall.com>
+
+commit 26c4caea9d697043cc5a458b96411b86d7f6babd upstream.
+
+Currently a single process may register exit handlers unlimited times.
+It may lead to a bloated listeners chain and very slow process
+terminations.
+
+Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
+kernel memory is stolen for the handlers chain and "time id" shows 2-7
+seconds instead of normal 0.003.  It makes it possible to exhaust all
+kernel memory and to eat much of CPU time by triggerring numerous exits
+on a single CPU.
+
+The patch limits the number of times a single process may register
+itself on a single CPU to one.
+
+One little issue is kept unfixed - as taskstats_exit() is called before
+exit_files() in do_exit(), the orphaned listener entry (if it was not
+explicitly deregistered) is kept until the next someone's exit() and
+implicit deregistration in send_cpu_listeners().  So, if a process
+registered itself as a listener exits and the next spawned process gets
+the same pid, it would inherit taskstats attributes.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Cc: Balbir Singh <bsingharora at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[dannf: backported to Debian's 2.6.26]
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 4a23517..bd0027e 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -293,17 +293,19 @@ ret:
+ static int add_del_listener(pid_t pid, cpumask_t *maskp, int isadd)
+ {
+ 	struct listener_list *listeners;
+-	struct listener *s, *tmp;
++	struct listener *s, *tmp, *s2;
+ 	unsigned int cpu;
+ 	cpumask_t mask = *maskp;
+ 
+ 	if (!cpus_subset(mask, cpu_possible_map))
+ 		return -EINVAL;
+ 
++	s = NULL;
+ 	if (isadd == REGISTER) {
+ 		for_each_cpu_mask(cpu, mask) {
+-			s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
+-					 cpu_to_node(cpu));
++			if (!s)
++				s = kmalloc_node(sizeof(struct listener),
++						 GFP_KERNEL, cpu_to_node(cpu));
+ 			if (!s)
+ 				goto cleanup;
+ 			s->pid = pid;
+@@ -312,9 +314,16 @@ static int add_del_listener(pid_t pid, cpumask_t *maskp, int isadd)
+ 
+ 			listeners = &per_cpu(listener_array, cpu);
+ 			down_write(&listeners->sem);
++			list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
++				if (s2->pid == pid)
++					goto next_cpu;
++			}
+ 			list_add(&s->list, &listeners->list);
++			s = NULL;
++next_cpu:
+ 			up_write(&listeners->sem);
+ 		}
++		kfree(s);
+ 		return 0;
+ 	}
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Tue Aug 16 05:01:48 2011	(r17939)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Tue Aug 16 05:37:22 2011	(r17940)
@@ -3,7 +3,4 @@
 + bugfix/all/fix-inet_diag_bc_audit.patch
 + bugfix/all/CVE-2011-2492.patch
 + bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch
-
-
-
-
++ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch

More information about the Kernel-svn-changes mailing list