[kernel] r17478 - in dists/lenny-security/linux-2.6/debian/patches: bugfix/all features/all/openvz features/all/vserver series

Mon May 30 14:13:08 UTC 2011

Author: dannf
Date: Mon May 30 14:13:06 2011
New Revision: 17478

Log:
complete fix for CVE-2011-0726

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
Modified:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
   dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch	Mon May 30 14:13:06 2011	(r17478)
@@ -0,0 +1,94 @@
+commit f83ce3e6b02d5e48b3a43b001390e2b58820389d
+Author: Jake Edge <jake at lwn.net>
+Date:   Mon May 4 12:51:14 2009 -0600
+
+    proc: avoid information leaks to non-privileged processes
+    
+    By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
+    only allow processes that can ptrace() a given process to see information
+    that might be used to bypass address space layout randomization (ASLR).
+    These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
+    as the non-symbolic output from /proc/pid/wchan.
+    
+    ASLR can be bypassed by sampling eip as shown by the proof-of-concept
+    code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
+    (http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
+    also noted as possibly usable information leaks as well.  The
+    start_stack address also leaks potentially useful information.
+    
+    Cc: Stable Team <stable at kernel.org>
+    Signed-off-by: Jake Edge <jake at lwn.net>
+    Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+    Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
+--- linux-source-2.6.26.orig/fs/proc/array.c	2011-01-24 22:55:23.000000000 -0700
++++ linux-source-2.6.26/fs/proc/array.c	2011-05-29 12:39:14.441111404 -0600
+@@ -80,6 +80,7 @@
+ #include <linux/delayacct.h>
+ #include <linux/seq_file.h>
+ #include <linux/pid_namespace.h>
++#include <linux/ptrace.h>
+ 
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -342,6 +343,7 @@ static int do_task_stat(struct seq_file
+ 	char state;
+ 	pid_t ppid = 0, pgid = -1, sid = -1;
+ 	int num_threads = 0;
++	int permitted;
+ 	struct mm_struct *mm;
+ 	unsigned long long start_time;
+ 	unsigned long cmin_flt = 0, cmaj_flt = 0;
+@@ -354,11 +356,14 @@ static int do_task_stat(struct seq_file
+ 
+ 	state = *get_task_state(task);
+ 	vsize = eip = esp = 0;
++	permitted = ptrace_may_attach(task);
+ 	mm = get_task_mm(task);
+ 	if (mm) {
+ 		vsize = task_vsize(mm);
+-		eip = KSTK_EIP(task);
+-		esp = KSTK_ESP(task);
++		if (permitted) {
++			eip = KSTK_EIP(task);
++			esp = KSTK_ESP(task);
++		}
+ 	}
+ 
+ 	get_task_comm(tcomm, task);
+@@ -414,7 +419,7 @@ static int do_task_stat(struct seq_file
+ 		unlock_task_sighand(task, &flags);
+ 	}
+ 
+-	if (!whole || num_threads < 2)
++	if (permitted && (!whole || num_threads < 2))
+ 		wchan = get_wchan(task);
+ 	if (!whole) {
+ 		min_flt = task->min_flt;
+@@ -466,7 +471,7 @@ static int do_task_stat(struct seq_file
+ 		rsslim,
+ 		mm ? mm->start_code : 0,
+ 		mm ? mm->end_code : 0,
+-		mm ? mm->start_stack : 0,
++		(permitted && mm) ? mm->start_stack : 0,
+ 		esp,
+ 		eip,
+ 		/* The signal information here is obsolete.
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c	2011-01-24 22:55:33.000000000 -0700
++++ linux-source-2.6.26/fs/proc/base.c	2011-05-29 12:38:52.196846232 -0600
+@@ -329,7 +329,10 @@ static int proc_pid_wchan(struct task_st
+ 	wchan = get_wchan(task);
+ 
+ 	if (lookup_symbol_name(wchan, symname) < 0)
+-		return sprintf(buffer, "%lu", wchan);
++		if (!ptrace_may_attach(task))
++			return 0;
++		else
++			return sprintf(buffer, "%lu", wchan);
+ 	else
+ 		return sprintf(buffer, "%s", symname);
+ }

Modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch	Sun May 29 18:41:14 2011	(r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch	Mon May 30 14:13:06 2011	(r17478)
@@ -1,11 +1,9 @@
-commit 233d858fcbd5e9a3d26e52baae3a30c4579c070d
+commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3
 Author: Kees Cook <kees.cook at canonical.com>
 Date:   Wed Mar 23 16:42:53 2011 -0700
 
     proc: protect mm start_code/end_code in /proc/pid/stat
     
-    commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
-    
     While mm->start_stack was protected from cross-uid viewing (commit
     f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
     processes")), the start_code and end_code values were not.  This would
@@ -19,6 +17,7 @@
     Addresses CVE-2011-0726
     
     Signed-off-by: Kees Cook <kees.cook at canonical.com>
+    Cc: <stable at kernel.org>
     Cc: Alexey Dobriyan <adobriyan at gmail.com>
     Cc: David Howells <dhowells at redhat.com>
     Cc: Eugene Teo <eugeneteo at kernel.sg>
@@ -26,13 +25,12 @@
     Cc: Brad Spengler <spender at grsecurity.net>
     Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
-    [dannf: adjusted to Debian's 2.6.26]
 
-diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
---- linux-source-2.6.26.orig/fs/proc/array.c	2011-01-24 22:55:23.000000000 -0700
-+++ linux-source-2.6.26/fs/proc/array.c	2011-05-15 18:41:42.437578321 -0600
-@@ -464,8 +464,8 @@ static int do_task_stat(struct seq_file
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 7c99c1c..5e4f776 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
  		vsize,
  		mm ? get_mm_rss(mm) : 0,
  		rsslim,
@@ -40,6 +38,6 @@
 -		mm ? mm->end_code : 0,
 +		mm ? (permitted ? mm->start_code : 1) : 0,
 +		mm ? (permitted ? mm->end_code : 1) : 0,
- 		mm ? mm->start_stack : 0,
+ 		(permitted && mm) ? mm->start_stack : 0,
  		esp,
  		eip,

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Sun May 29 18:41:14 2011	(r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Mon May 30 14:13:06 2011	(r17478)
@@ -10042,9 +10042,9 @@
 index 797d775..6fd6695 100644
 --- a/fs/proc/array.c
 +++ b/fs/proc/array.c
-@@ -81,6 +81,8 @@
- #include <linux/seq_file.h>
+@@ -82,6 +82,8 @@
  #include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
  
 +#include <bc/beancounter.h>
 +
@@ -10134,9 +10134,9 @@
  
  	task_name(m, task);
  	task_state(m, ns, pid, task);
-@@ -329,6 +360,14 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- 	task_show_regs(m, task);
- #endif
+@@ -327,6 +358,14 @@ int proc_pid_status(struct seq_file *m,
+ 	task_cap(m, task);
+ 	cpuset_task_status_allowed(m, task);
  	task_context_switch_counts(m, task);
 +#ifdef CONFIG_BEANCOUNTERS
 +	ub_dump_task_info(task,

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch	Sun May 29 18:41:14 2011	(r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch	Mon May 30 14:13:06 2011	(r17478)
@@ -6759,10 +6759,10 @@
  void put_unused_fd(unsigned int fd)
 --- a/fs/proc/array.c	2008-07-14 17:22:50.000000000 -0400
 +++ a/fs/proc/array.c	2008-07-17 17:40:35.000000000 -0400
-@@ -80,6 +80,8 @@
- #include <linux/delayacct.h>
+@@ -81,6 +81,8 @@
  #include <linux/seq_file.h>
  #include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
 +#include <linux/vs_context.h>
 +#include <linux/vs_network.h>
  

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Sun May 29 18:41:14 2011	(r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 30 14:13:06 2011	(r17478)
@@ -21,6 +21,7 @@
 + bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
 + bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
++ bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
 + bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
 + bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
 + bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch

