[kernel] r16827 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jan 17 19:22:44 UTC 2011 

Author: dannf
Date: Mon Jan 17 19:22:38 2011
New Revision: 16827

Log:
do_exit(): make sure that we run with get_fs() == USER_DS (CVE-2010-4258)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 18:56:46 2011	(r16826)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 19:22:38 2011	(r16827)
@@ -13,6 +13,7 @@
     (CVE-2010-0435)
   * exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
   * af_unix: limit unix_tot_inflight (CVE-2010-4249)
+  * do_exit(): make sure that we run with get_fs() == USER_DS (CVE-2010-4258)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch	Mon Jan 17 19:22:38 2011	(r16827)
@@ -0,0 +1,51 @@
+commit dc42e95471410095dd1367660b59d463a082bd9f
+Author: Nelson Elhage <nelhage at ksplice.com>
+Date:   Thu Dec 2 14:31:21 2010 -0800
+
+    do_exit(): make sure that we run with get_fs() == USER_DS
+    
+    If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
+    otherwise reset before do_exit().  do_exit may later (via mm_release in
+    fork.c) do a put_user to a user-controlled address, potentially allowing
+    a user to leverage an oops into a controlled write into kernel memory.
+    
+    This is only triggerable in the presence of another bug, but this
+    potentially turns a lot of DoS bugs into privilege escalations, so it's
+    worth fixing.  I have proof-of-concept code which uses this bug along
+    with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
+    I've tested that this is not theoretical.
+    
+    A more logical place to put this fix might be when we know an oops has
+    occurred, before we call do_exit(), but that would involve changing
+    every architecture, in multiple places.
+    
+    Let's just stick it in do_exit instead.
+    
+    [akpm at linux-foundation.org: update code comment]
+    Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+    Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: Adjusted to apply to Debian's 2.6.26]
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index b3b6377..ec900a7 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -976,6 +976,15 @@ NORET_TYPE void do_exit(long code)
+ 	if (unlikely(!tsk->pid))
+ 		panic("Attempted to kill the idle task!");
+ 
++	/*
++	 * If do_exit is called because this processes oopsed, it's possible
++	 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
++	 * continuing. Amongst other possible reasons, this is to prevent
++	 * mm_release()->clear_child_tid() from writing to a user-controlled
++	 * kernel address.
++	 */
++	set_fs(USER_DS);
++
+ 	if (unlikely(current->ptrace & PT_TRACE_EXIT)) {
+ 		current->ptrace_message = code;
+ 		ptrace_notify((PTRACE_EVENT_EXIT << 8) | SIGTRAP);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 18:56:46 2011	(r16826)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 19:22:38 2011	(r16827)
@@ -12,3 +12,4 @@
 + bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
 + bugfix/all/af_unix-limit-unix_tot_inflight.patch
 + bugfix/all/scm-lower-SCM_MAX_FD.patch
++ bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch

More information about the Kernel-svn-changes mailing list