[kernel] r17604 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 6 01:20:34 UTC 2011 

Author: dannf
Date: Mon Jun  6 01:20:33 2011
New Revision: 17604

Log:
next_pidmap: fix overflow condition (CVE-2011-1593)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 00:15:56 2011	(r17603)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:20:33 2011	(r17604)
@@ -33,6 +33,7 @@
   * char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
   * sound/oss: remove offset from load_patch callbacks (CVE-2011-1476)
   * ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
+  * next_pidmap: fix overflow condition (CVE-2011-1593)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch	Mon Jun  6 01:20:33 2011	(r17604)
@@ -0,0 +1,60 @@
+commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Mon Apr 18 10:35:30 2011 -0700
+
+    next_pidmap: fix overflow condition
+    
+    next_pidmap() just quietly accepted whatever 'last' pid that was passed
+    in, which is not all that safe when one of the users is /proc.
+    
+    Admittedly the proc code should do some sanity checking on the range
+    (and that will be the next commit), but that doesn't mean that the
+    helper functions should just do that pidmap pointer arithmetic without
+    checking the range of its arguments.
+    
+    So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
+    doesn't really matter, the for-loop does check against the end of the
+    pidmap array properly (it's only the actual pointer arithmetic overflow
+    case we need to worry about, and going one bit beyond isn't going to
+    overflow).
+    
+    [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
+    
+    Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Analyzed-by: Robert Święcki <robert at swiecki.net>
+    Cc: Eric W. Biederman <ebiederm at xmission.com>
+    Cc: Pavel Emelyanov <xemul at openvz.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/include/linux/pid.h linux-source-2.6.26/include/linux/pid.h
+--- linux-source-2.6.26.orig/include/linux/pid.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/pid.h	2011-06-02 22:25:05.950398468 -0600
+@@ -119,7 +119,7 @@ extern struct pid *find_pid(int nr);
+  */
+ extern struct pid *find_get_pid(int nr);
+ extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
+-int next_pidmap(struct pid_namespace *pid_ns, int last);
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
+ 
+ extern struct pid *alloc_pid(struct pid_namespace *ns);
+ extern void free_pid(struct pid *pid);
+diff -urpN linux-source-2.6.26.orig/kernel/pid.c linux-source-2.6.26/kernel/pid.c
+--- linux-source-2.6.26.orig/kernel/pid.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/kernel/pid.c	2011-06-02 22:25:05.950398468 -0600
+@@ -181,11 +181,14 @@ static int alloc_pidmap(struct pid_names
+ 	return -1;
+ }
+ 
+-int next_pidmap(struct pid_namespace *pid_ns, int last)
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
+ {
+ 	int offset;
+ 	struct pidmap *map, *end;
+ 
++	if (last >= PID_MAX_LIMIT)
++		return -1;
++
+ 	offset = (last + 1) & BITS_PER_PAGE_MASK;
+ 	map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
+ 	end = &pid_ns->pidmap[PIDMAP_ENTRIES];

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch	Mon Jun  6 01:20:33 2011	(r17604)
@@ -0,0 +1,37 @@
+commit d8bdc59f215e62098bc5b4256fd9928bf27053a1
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Mon Apr 18 10:36:54 2011 -0700
+
+    proc: do proper range check on readdir offset
+    
+    Rather than pass in some random truncated offset to the pid-related
+    functions, check that the offset is in range up-front.
+    
+    This is just cleanup, the previous commit fixed the real problem.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c	2011-05-29 12:38:52.196846232 -0600
++++ linux-source-2.6.26/fs/proc/base.c	2011-06-02 22:27:05.351985412 -0600
+@@ -2706,11 +2706,16 @@ static int proc_pid_fill_cache(struct fi
+ /* for the /proc/ directory itself, after non-process stuff has been done */
+ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
+ {
+-	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+-	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++	unsigned int nr;
++	struct task_struct *reaper;
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
+ 
++	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
++		goto out_no_task;
++	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
++
++	reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ 	if (!reaper)
+ 		goto out_no_task;
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 00:15:56 2011	(r17603)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:20:33 2011	(r17604)
@@ -30,3 +30,5 @@
 + bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
 + bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch
 + bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
++ bugfix/all/next_pidmap-fix-overflow-condition.patch
++ bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch

More information about the Kernel-svn-changes mailing list