[kernel] r17420 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Dann Frazier dannf at alioth.debian.org
Mon May 16 00:59:01 UTC 2011 

Author: dannf
Date: Mon May 16 00:58:58 2011
New Revision: 17420

Log:
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
  (CVE-2011-1182)
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:58:52 2011	(r17419)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:58:58 2011	(r17420)
@@ -22,10 +22,16 @@
   * RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
   * IB/cm: Bump reference count on cm_id before invoking callback
     (CVE-2011-0695)
+  * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+    (CVE-2011-1182)
+  * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
 
+  [ dann frazier ]
+  * 
+
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 
 linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch	Mon May 16 00:58:58 2011	(r17420)
@@ -0,0 +1,45 @@
+commit 92bf9b9866298c3b7c416eb07c9542d01e8b3ae6
+Author: Roland Dreier <roland at purestorage.com>
+Date:   Mon Mar 28 14:13:35 2011 -0700
+
+    Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
+    
+    commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream.
+    
+    Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
+    from spoofing the signal code") made the check on si_code too strict.
+    There are several legitimate places where glibc wants to queue a
+    negative si_code different from SI_QUEUE:
+    
+     - This was first noticed with glibc's aio implementation, which wants
+       to queue a signal with si_code SI_ASYNCIO; the current kernel
+       causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
+       fails with EPERM.
+    
+     - Further examination of the glibc source shows that getaddrinfo_a()
+       wants to use SI_ASYNCNL (which the kernel does not even define).
+       The timer_create() fallback code wants to queue signals with SI_TIMER.
+    
+    As suggested by Oleg Nesterov <oleg at redhat.com>, loosen the check to
+    forbid only the problematic SI_TKILL case.
+    
+    Reported-by: Klaus Dittrich <kladit at arcor.de>
+    Acked-by: Julien Tinnes <jln at google.com>
+    Signed-off-by: Roland Dreier <roland at purestorage.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+    [wt: 2.6.27 has no rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 56d815d..b1506fb 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2296,7 +2296,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ 	/* Not even root can pretend to send signals from the kernel.
+ 	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
+ 	 */
+-	if (info.si_code != SI_QUEUE) {
++	if (info.si_code >= 0 || info.si_code == SI_TKILL) {
+ 		/* We used to allow any < 0 si_code */
+ 		WARN_ON_ONCE(info.si_code < 0);
+ 		return -EPERM;

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch	Mon May 16 00:58:58 2011	(r17420)
@@ -0,0 +1,50 @@
+commit 127e70c6c9ae94fc0d3d2b02e89f7e7c0fca40ef
+Author: Julien Tinnes <jln at google.com>
+Date:   Fri Mar 18 15:05:21 2011 -0700
+
+    Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+    
+    commit da48524eb20662618854bb3df2db01fc65f3070c upstream.
+    
+    Userland should be able to trust the pid and uid of the sender of a
+    signal if the si_code is SI_TKILL.
+    
+    Unfortunately, the kernel has historically allowed sigqueueinfo() to
+    send any si_code at all (as long as it was negative - to distinguish it
+    from kernel-generated signals like SIGILL etc), so it could spoof a
+    SI_TKILL with incorrect siginfo values.
+    
+    Happily, it looks like glibc has always set si_code to the appropriate
+    SI_QUEUE, so there are probably no actual user code that ever uses
+    anything but the appropriate SI_QUEUE flag.
+    
+    So just tighten the check for si_code (we used to allow any negative
+    value), and add a (one-time) warning in case there are binaries out
+    there that might depend on using other si_code values.
+    
+    Signed-off-by: Julien Tinnes <jln at google.com>
+    Acked-by: Oleg Nesterov <oleg at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+    [wt: 2.6.27 does not have do_rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index efcdc95..56d815d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2294,9 +2294,13 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ 		return -EFAULT;
+ 
+ 	/* Not even root can pretend to send signals from the kernel.
+-	   Nor can they impersonate a kill(), which adds source info.  */
+-	if (info.si_code >= 0)
++	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
++	 */
++	if (info.si_code != SI_QUEUE) {
++		/* We used to allow any < 0 si_code */
++		WARN_ON_ONCE(info.si_code < 0);
+ 		return -EPERM;
++	}
+ 	info.si_signo = sig;
+ 
+ 	/* POSIX.1b doesn't mention process groups.  */

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:58:52 2011	(r17419)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:58:58 2011	(r17420)
@@ -19,3 +19,5 @@
 + bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
 + bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
 + bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch

More information about the Kernel-svn-changes mailing list