[kernel] r17420 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 16 00:59:01 UTC 2011
Author: dannf
Date: Mon May 16 00:58:58 2011
New Revision: 17420
Log:
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
(CVE-2011-1182)
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:58:52 2011 (r17419)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:58:58 2011 (r17420)
@@ -22,10 +22,16 @@
* RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
* IB/cm: Bump reference count on cm_id before invoking callback
(CVE-2011-0695)
+ * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+ (CVE-2011-1182)
+ * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
+ [ dann frazier ]
+ *
+
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch Mon May 16 00:58:58 2011 (r17420)
@@ -0,0 +1,45 @@
+commit 92bf9b9866298c3b7c416eb07c9542d01e8b3ae6
+Author: Roland Dreier <roland at purestorage.com>
+Date: Mon Mar 28 14:13:35 2011 -0700
+
+ Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
+
+ commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream.
+
+ Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
+ from spoofing the signal code") made the check on si_code too strict.
+ There are several legitimate places where glibc wants to queue a
+ negative si_code different from SI_QUEUE:
+
+ - This was first noticed with glibc's aio implementation, which wants
+ to queue a signal with si_code SI_ASYNCIO; the current kernel
+ causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
+ fails with EPERM.
+
+ - Further examination of the glibc source shows that getaddrinfo_a()
+ wants to use SI_ASYNCNL (which the kernel does not even define).
+ The timer_create() fallback code wants to queue signals with SI_TIMER.
+
+ As suggested by Oleg Nesterov <oleg at redhat.com>, loosen the check to
+ forbid only the problematic SI_TKILL case.
+
+ Reported-by: Klaus Dittrich <kladit at arcor.de>
+ Acked-by: Julien Tinnes <jln at google.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [wt: 2.6.27 has no rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 56d815d..b1506fb 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2296,7 +2296,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ /* Not even root can pretend to send signals from the kernel.
+ * Nor can they impersonate a kill()/tgkill(), which adds source info.
+ */
+- if (info.si_code != SI_QUEUE) {
++ if (info.si_code >= 0 || info.si_code == SI_TKILL) {
+ /* We used to allow any < 0 si_code */
+ WARN_ON_ONCE(info.si_code < 0);
+ return -EPERM;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch Mon May 16 00:58:58 2011 (r17420)
@@ -0,0 +1,50 @@
+commit 127e70c6c9ae94fc0d3d2b02e89f7e7c0fca40ef
+Author: Julien Tinnes <jln at google.com>
+Date: Fri Mar 18 15:05:21 2011 -0700
+
+ Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+
+ commit da48524eb20662618854bb3df2db01fc65f3070c upstream.
+
+ Userland should be able to trust the pid and uid of the sender of a
+ signal if the si_code is SI_TKILL.
+
+ Unfortunately, the kernel has historically allowed sigqueueinfo() to
+ send any si_code at all (as long as it was negative - to distinguish it
+ from kernel-generated signals like SIGILL etc), so it could spoof a
+ SI_TKILL with incorrect siginfo values.
+
+ Happily, it looks like glibc has always set si_code to the appropriate
+ SI_QUEUE, so there are probably no actual user code that ever uses
+ anything but the appropriate SI_QUEUE flag.
+
+ So just tighten the check for si_code (we used to allow any negative
+ value), and add a (one-time) warning in case there are binaries out
+ there that might depend on using other si_code values.
+
+ Signed-off-by: Julien Tinnes <jln at google.com>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [wt: 2.6.27 does not have do_rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index efcdc95..56d815d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2294,9 +2294,13 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ return -EFAULT;
+
+ /* Not even root can pretend to send signals from the kernel.
+- Nor can they impersonate a kill(), which adds source info. */
+- if (info.si_code >= 0)
++ * Nor can they impersonate a kill()/tgkill(), which adds source info.
++ */
++ if (info.si_code != SI_QUEUE) {
++ /* We used to allow any < 0 si_code */
++ WARN_ON_ONCE(info.si_code < 0);
+ return -EPERM;
++ }
+ info.si_signo = sig;
+
+ /* POSIX.1b doesn't mention process groups. */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:58:52 2011 (r17419)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:58:58 2011 (r17420)
@@ -19,3 +19,5 @@
+ bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
+ bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
+ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
More information about the Kernel-svn-changes
mailing list