[kernel] r17478 - in dists/lenny-security/linux-2.6/debian/patches: bugfix/all features/all/openvz features/all/vserver series
Dann Frazier
dannf at alioth.debian.org
Mon May 30 14:13:08 UTC 2011
Author: dannf
Date: Mon May 30 14:13:06 2011
New Revision: 17478
Log:
complete fix for CVE-2011-0726
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
Modified:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch Mon May 30 14:13:06 2011 (r17478)
@@ -0,0 +1,94 @@
+commit f83ce3e6b02d5e48b3a43b001390e2b58820389d
+Author: Jake Edge <jake at lwn.net>
+Date: Mon May 4 12:51:14 2009 -0600
+
+ proc: avoid information leaks to non-privileged processes
+
+ By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
+ only allow processes that can ptrace() a given process to see information
+ that might be used to bypass address space layout randomization (ASLR).
+ These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
+ as the non-symbolic output from /proc/pid/wchan.
+
+ ASLR can be bypassed by sampling eip as shown by the proof-of-concept
+ code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
+ (http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
+ also noted as possibly usable information leaks as well. The
+ start_stack address also leaks potentially useful information.
+
+ Cc: Stable Team <stable at kernel.org>
+ Signed-off-by: Jake Edge <jake at lwn.net>
+ Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+ Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
+--- linux-source-2.6.26.orig/fs/proc/array.c 2011-01-24 22:55:23.000000000 -0700
++++ linux-source-2.6.26/fs/proc/array.c 2011-05-29 12:39:14.441111404 -0600
+@@ -80,6 +80,7 @@
+ #include <linux/delayacct.h>
+ #include <linux/seq_file.h>
+ #include <linux/pid_namespace.h>
++#include <linux/ptrace.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -342,6 +343,7 @@ static int do_task_stat(struct seq_file
+ char state;
+ pid_t ppid = 0, pgid = -1, sid = -1;
+ int num_threads = 0;
++ int permitted;
+ struct mm_struct *mm;
+ unsigned long long start_time;
+ unsigned long cmin_flt = 0, cmaj_flt = 0;
+@@ -354,11 +356,14 @@ static int do_task_stat(struct seq_file
+
+ state = *get_task_state(task);
+ vsize = eip = esp = 0;
++ permitted = ptrace_may_attach(task);
+ mm = get_task_mm(task);
+ if (mm) {
+ vsize = task_vsize(mm);
+- eip = KSTK_EIP(task);
+- esp = KSTK_ESP(task);
++ if (permitted) {
++ eip = KSTK_EIP(task);
++ esp = KSTK_ESP(task);
++ }
+ }
+
+ get_task_comm(tcomm, task);
+@@ -414,7 +419,7 @@ static int do_task_stat(struct seq_file
+ unlock_task_sighand(task, &flags);
+ }
+
+- if (!whole || num_threads < 2)
++ if (permitted && (!whole || num_threads < 2))
+ wchan = get_wchan(task);
+ if (!whole) {
+ min_flt = task->min_flt;
+@@ -466,7 +471,7 @@ static int do_task_stat(struct seq_file
+ rsslim,
+ mm ? mm->start_code : 0,
+ mm ? mm->end_code : 0,
+- mm ? mm->start_stack : 0,
++ (permitted && mm) ? mm->start_stack : 0,
+ esp,
+ eip,
+ /* The signal information here is obsolete.
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c 2011-01-24 22:55:33.000000000 -0700
++++ linux-source-2.6.26/fs/proc/base.c 2011-05-29 12:38:52.196846232 -0600
+@@ -329,7 +329,10 @@ static int proc_pid_wchan(struct task_st
+ wchan = get_wchan(task);
+
+ if (lookup_symbol_name(wchan, symname) < 0)
+- return sprintf(buffer, "%lu", wchan);
++ if (!ptrace_may_attach(task))
++ return 0;
++ else
++ return sprintf(buffer, "%lu", wchan);
+ else
+ return sprintf(buffer, "%s", symname);
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch Sun May 29 18:41:14 2011 (r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch Mon May 30 14:13:06 2011 (r17478)
@@ -1,11 +1,9 @@
-commit 233d858fcbd5e9a3d26e52baae3a30c4579c070d
+commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3
Author: Kees Cook <kees.cook at canonical.com>
Date: Wed Mar 23 16:42:53 2011 -0700
proc: protect mm start_code/end_code in /proc/pid/stat
- commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
-
While mm->start_stack was protected from cross-uid viewing (commit
f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
processes")), the start_code and end_code values were not. This would
@@ -19,6 +17,7 @@
Addresses CVE-2011-0726
Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Cc: <stable at kernel.org>
Cc: Alexey Dobriyan <adobriyan at gmail.com>
Cc: David Howells <dhowells at redhat.com>
Cc: Eugene Teo <eugeneteo at kernel.sg>
@@ -26,13 +25,12 @@
Cc: Brad Spengler <spender at grsecurity.net>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
- Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
- [dannf: adjusted to Debian's 2.6.26]
-diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
---- linux-source-2.6.26.orig/fs/proc/array.c 2011-01-24 22:55:23.000000000 -0700
-+++ linux-source-2.6.26/fs/proc/array.c 2011-05-15 18:41:42.437578321 -0600
-@@ -464,8 +464,8 @@ static int do_task_stat(struct seq_file
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 7c99c1c..5e4f776 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
vsize,
mm ? get_mm_rss(mm) : 0,
rsslim,
@@ -40,6 +38,6 @@
- mm ? mm->end_code : 0,
+ mm ? (permitted ? mm->start_code : 1) : 0,
+ mm ? (permitted ? mm->end_code : 1) : 0,
- mm ? mm->start_stack : 0,
+ (permitted && mm) ? mm->start_stack : 0,
esp,
eip,
Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sun May 29 18:41:14 2011 (r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon May 30 14:13:06 2011 (r17478)
@@ -10042,9 +10042,9 @@
index 797d775..6fd6695 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
-@@ -81,6 +81,8 @@
- #include <linux/seq_file.h>
+@@ -82,6 +82,8 @@
#include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
+#include <bc/beancounter.h>
+
@@ -10134,9 +10134,9 @@
task_name(m, task);
task_state(m, ns, pid, task);
-@@ -329,6 +360,14 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- task_show_regs(m, task);
- #endif
+@@ -327,6 +358,14 @@ int proc_pid_status(struct seq_file *m,
+ task_cap(m, task);
+ cpuset_task_status_allowed(m, task);
task_context_switch_counts(m, task);
+#ifdef CONFIG_BEANCOUNTERS
+ ub_dump_task_info(task,
Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Sun May 29 18:41:14 2011 (r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Mon May 30 14:13:06 2011 (r17478)
@@ -6759,10 +6759,10 @@
void put_unused_fd(unsigned int fd)
--- a/fs/proc/array.c 2008-07-14 17:22:50.000000000 -0400
+++ a/fs/proc/array.c 2008-07-17 17:40:35.000000000 -0400
-@@ -80,6 +80,8 @@
- #include <linux/delayacct.h>
+@@ -81,6 +81,8 @@
#include <linux/seq_file.h>
#include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
+#include <linux/vs_context.h>
+#include <linux/vs_network.h>
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Sun May 29 18:41:14 2011 (r17477)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 30 14:13:06 2011 (r17478)
@@ -21,6 +21,7 @@
+ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
+ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
+ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
++ bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
+ bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
+ bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
+ bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
More information about the Kernel-svn-changes
mailing list