[kernel] r17402 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 16 00:56:50 UTC 2011
Author: dannf
Date: Mon May 16 00:56:49 2011
New Revision: 17402
Log:
ptrace: use safer wake up on ptrace_detach()
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/27
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Mon May 16 00:56:38 2011 (r17401)
+++ dists/lenny/linux-2.6/debian/changelog Mon May 16 00:56:49 2011 (r17402)
@@ -11,6 +11,7 @@
- scsi: fix medium error problems with some arrays which can cause
data corruption
- NFS: fix the return value of nfs_file_fsync()
+ - ptrace: use safer wake up on ptrace_detach()
-- Ben Hutchings <ben at decadent.org.uk> Mon, 29 Nov 2010 02:01:24 +0000
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch Mon May 16 00:56:49 2011 (r17402)
@@ -0,0 +1,45 @@
+commit 8c4cabbf2516c203b76eeef04d03b260aeb6a941
+Author: Tejun Heo <tj at kernel.org>
+Date: Thu Feb 10 15:01:22 2011 -0800
+
+ ptrace: use safer wake up on ptrace_detach()
+
+ commit 01e05e9a90b8f4c3997ae0537e87720eb475e532 upstream.
+
+ The wake_up_process() call in ptrace_detach() is spurious and not
+ interlocked with the tracee state. IOW, the tracee could be running or
+ sleeping in any place in the kernel by the time wake_up_process() is
+ called. This can lead to the tracee waking up unexpectedly which can be
+ dangerous.
+
+ The wake_up is spurious and should be removed but for now reduce its
+ toxicity by only waking up if the tracee is in TRACED or STOPPED state.
+
+ This bug can possibly be used as an attack vector. I don't think it
+ will take too much effort to come up with an attack which triggers oops
+ somewhere. Most sleeps are wrapped in condition test loops and should
+ be safe but we have quite a number of places where sleep and wakeup
+ conditions are expected to be interlocked. Although the window of
+ opportunity is tiny, ptrace can be used by non-privileged users and with
+ some loading the window can definitely be extended and exploited.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 85c1983..e194cd1 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -213,7 +213,7 @@ static inline void __ptrace_detach(struct task_struct *child, unsigned int data)
+ __ptrace_unlink(child);
+ /* .. and wake it up. */
+ if (child->exit_state != EXIT_ZOMBIE)
+- wake_up_process(child);
++ wake_up_state(child, TASK_TRACED | TASK_STOPPED);
+ }
+
+ int ptrace_detach(struct task_struct *child, unsigned int data)
Modified: dists/lenny/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/27 Mon May 16 00:56:38 2011 (r17401)
+++ dists/lenny/linux-2.6/debian/patches/series/27 Mon May 16 00:56:49 2011 (r17402)
@@ -3,3 +3,4 @@
+ bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch
+ bugfix/all/fix-medium-error-problems-with-some-arrays-which-can-cause-data-corruption.patch
+ bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch
++ bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
More information about the Kernel-svn-changes
mailing list