[kernel] r17422 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 16 00:59:13 UTC 2011
Author: dannf
Date: Mon May 16 00:59:11 2011
New Revision: 17422
Log:
proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:59:05 2011 (r17421)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:59:11 2011 (r17422)
@@ -25,13 +25,11 @@
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
(CVE-2011-1182)
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
+ * proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
- [ dann frazier ]
- *
-
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch Mon May 16 00:59:11 2011 (r17422)
@@ -0,0 +1,45 @@
+commit 233d858fcbd5e9a3d26e52baae3a30c4579c070d
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Wed Mar 23 16:42:53 2011 -0700
+
+ proc: protect mm start_code/end_code in /proc/pid/stat
+
+ commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
+
+ While mm->start_stack was protected from cross-uid viewing (commit
+ f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
+ processes")), the start_code and end_code values were not. This would
+ allow the text location of a PIE binary to leak, defeating ASLR.
+
+ Note that the value "1" is used instead of "0" for a protected value since
+ "ps", "killall", and likely other readers of /proc/pid/stat, take
+ start_code of "0" to mean a kernel thread and will misbehave. Thanks to
+ Brad Spengler for pointing this out.
+
+ Addresses CVE-2011-0726
+
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Cc: Alexey Dobriyan <adobriyan at gmail.com>
+ Cc: David Howells <dhowells at redhat.com>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+ Cc: Brad Spengler <spender at grsecurity.net>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: adjusted to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
+--- linux-source-2.6.26.orig/fs/proc/array.c 2011-01-24 22:55:23.000000000 -0700
++++ linux-source-2.6.26/fs/proc/array.c 2011-05-15 18:41:42.437578321 -0600
+@@ -464,8 +464,8 @@ static int do_task_stat(struct seq_file
+ vsize,
+ mm ? get_mm_rss(mm) : 0,
+ rsslim,
+- mm ? mm->start_code : 0,
+- mm ? mm->end_code : 0,
++ mm ? (permitted ? mm->start_code : 1) : 0,
++ mm ? (permitted ? mm->end_code : 1) : 0,
+ mm ? mm->start_stack : 0,
+ esp,
+ eip,
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:59:05 2011 (r17421)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:59:11 2011 (r17422)
@@ -21,3 +21,4 @@
+ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
+ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
+ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
++ bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
More information about the Kernel-svn-changes
mailing list