[kernel] r17422 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon May 16 00:59:13 UTC 2011 

Author: dannf
Date: Mon May 16 00:59:11 2011
New Revision: 17422

Log:
proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:59:05 2011	(r17421)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:59:11 2011	(r17422)
@@ -25,13 +25,11 @@
   * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
     (CVE-2011-1182)
   * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
+  * proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
 
-  [ dann frazier ]
-  * 
-
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 
 linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch	Mon May 16 00:59:11 2011	(r17422)
@@ -0,0 +1,45 @@
+commit 233d858fcbd5e9a3d26e52baae3a30c4579c070d
+Author: Kees Cook <kees.cook at canonical.com>
+Date:   Wed Mar 23 16:42:53 2011 -0700
+
+    proc: protect mm start_code/end_code in /proc/pid/stat
+    
+    commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
+    
+    While mm->start_stack was protected from cross-uid viewing (commit
+    f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
+    processes")), the start_code and end_code values were not.  This would
+    allow the text location of a PIE binary to leak, defeating ASLR.
+    
+    Note that the value "1" is used instead of "0" for a protected value since
+    "ps", "killall", and likely other readers of /proc/pid/stat, take
+    start_code of "0" to mean a kernel thread and will misbehave.  Thanks to
+    Brad Spengler for pointing this out.
+    
+    Addresses CVE-2011-0726
+    
+    Signed-off-by: Kees Cook <kees.cook at canonical.com>
+    Cc: Alexey Dobriyan <adobriyan at gmail.com>
+    Cc: David Howells <dhowells at redhat.com>
+    Cc: Eugene Teo <eugeneteo at kernel.sg>
+    Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+    Cc: Brad Spengler <spender at grsecurity.net>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+    [dannf: adjusted to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
+--- linux-source-2.6.26.orig/fs/proc/array.c	2011-01-24 22:55:23.000000000 -0700
++++ linux-source-2.6.26/fs/proc/array.c	2011-05-15 18:41:42.437578321 -0600
+@@ -464,8 +464,8 @@ static int do_task_stat(struct seq_file
+ 		vsize,
+ 		mm ? get_mm_rss(mm) : 0,
+ 		rsslim,
+-		mm ? mm->start_code : 0,
+-		mm ? mm->end_code : 0,
++		mm ? (permitted ? mm->start_code : 1) : 0,
++		mm ? (permitted ? mm->end_code : 1) : 0,
+ 		mm ? mm->start_stack : 0,
+ 		esp,
+ 		eip,

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:59:05 2011	(r17421)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:59:11 2011	(r17422)
@@ -21,3 +21,4 @@
 + bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
++ bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch

More information about the Kernel-svn-changes mailing list