[kernel] r18039 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Sep 1 05:28:09 UTC 2011
Author: dannf
Date: Thu Sep 1 05:28:08 2011
New Revision: 18039
Log:
restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
- copied, changed from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
- copied, changed from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
- copied, changed from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
- copied, changed from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Sep 1 03:57:52 2011 (r18038)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Sep 1 05:28:08 2011 (r18039)
@@ -9,6 +9,7 @@
* Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
* net_sched: Fix qdisc_notify() (CVE-2011-2525)
* Fix overflow in auerswald driver (CVE-2009-4067)
+ * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
[ Moritz Muehlenhoff ]
* ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch (from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch Tue Aug 30 02:49:46 2011 (r18037, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch Thu Sep 1 05:28:08 2011 (r18039)
@@ -8,12 +8,19 @@
prevent access after suid execve
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit bf8db462fc178f51a71fcf01a0cbe9d51215f0bf
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:11:15 2011 -0600
+
+ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index fc471b8..e94b58b 100644
+index f582fff..fc5f0d7 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
-@@ -281,9 +281,9 @@ out:
+@@ -300,9 +300,9 @@ out:
static int proc_pid_auxv(struct task_struct *task, char *buffer)
{
@@ -24,5 +31,5 @@
+ int res = PTR_ERR(mm);
+ if (mm && !IS_ERR(mm)) {
unsigned int nwords = 0;
- do {
+ do
nwords += 2;
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch (from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch Tue Aug 30 02:49:46 2011 (r18037, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch Thu Sep 1 05:28:08 2011 (r18039)
@@ -8,16 +8,23 @@
since we do checks on IO anyway...
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit c6e0832fdcd651328728c00e6464f36c091444fa
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:10:48 2011 -0600
+
+ bugfix/all/close-race-in-proc-pid-environ.patch
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index c282811..fc471b8 100644
+index 6e71515..f582fff 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
-@@ -919,20 +919,18 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -906,20 +906,18 @@ static ssize_t environ_read(struct file *file, char __user *buf,
if (!task)
goto out_no_task;
-- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- if (!ptrace_may_attach(task))
- goto out;
-
ret = -ENOMEM;
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch (from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch Tue Aug 30 02:49:46 2011 (r18037, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch Thu Sep 1 05:28:08 2011 (r18039)
@@ -7,48 +7,54 @@
just use mm_for_maps()
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
- [dannf: backported to Debian's 2.6.32]
+ [dannf: backported to Debian's 2.6.26]
+
+commit 4fb7cdfbc27b0635a9ec66200291d2d2babb9970
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:06:29 2011 -0600
+
+ bugfix/all/pagemap-close-races-with-suid-execve.patch
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index ae485ab..aca5390 100644
+index bce2890..47afca0 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
-@@ -2552,7 +2552,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2440,7 +2440,7 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_PROC_PAGE_MONITOR
- REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
- REG("smaps", S_IRUGO, proc_smaps_operations),
-- REG("pagemap", S_IRUSR, proc_pagemap_operations),
-+ REG("pagemap", S_IRUGO, proc_pagemap_operations),
+ REG("clear_refs", S_IWUSR, clear_refs),
+ REG("smaps", S_IRUGO, smaps),
+- REG("pagemap", S_IRUSR, pagemap),
++ REG("pagemap", S_IRUGO, pagemap),
#endif
#ifdef CONFIG_SECURITY
- DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
-@@ -2890,7 +2890,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ DIR("attr", S_IRUGO|S_IXUGO, attr_dir),
+@@ -2776,7 +2776,7 @@ static const struct pid_entry tid_base_stuff[] = {
#ifdef CONFIG_PROC_PAGE_MONITOR
- REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
- REG("smaps", S_IRUGO, proc_smaps_operations),
-- REG("pagemap", S_IRUSR, proc_pagemap_operations),
-+ REG("pagemap", S_IRUGO, proc_pagemap_operations),
+ REG("clear_refs", S_IWUSR, clear_refs),
+ REG("smaps", S_IRUGO, smaps),
+- REG("pagemap", S_IRUSR, pagemap),
++ REG("pagemap", S_IRUGO, pagemap),
#endif
#ifdef CONFIG_SECURITY
- DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
+ DIR("attr", S_IRUGO|S_IXUGO, attr_dir),
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 3b7b82a..6e7b065 100644
+index 8feda82..56c00dc 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
-@@ -682,7 +682,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+@@ -663,7 +663,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
goto out;
ret = -EACCES;
-- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- if (!ptrace_may_attach(task))
+ mm = mm_for_maps(task);
+ if (!mm)
goto out_task;
ret = -EINVAL;
-@@ -695,10 +696,6 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
- if (!count)
+@@ -672,10 +673,6 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
goto out_task;
+ ret = 0;
- mm = get_task_mm(task);
- if (!mm)
- goto out_task;
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch (from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch Tue Aug 30 02:49:46 2011 (r18037, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch Thu Sep 1 05:28:08 2011 (r18039)
@@ -5,35 +5,29 @@
report errors in /proc/*/*map* sanely
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
- [dannf: backported to Debian's 2.6.32]
+ [dannf: backported to Debian's 2.6.26]
+
+commit c4511551969b481182ce9114dd552d68e1c5dfe7
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:09:22 2011 -0600
+
+ bugfix/all/proc-map-report-errors-sanely.patch
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index aca5390..b7567b2 100644
+index 47afca0..01421c4 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
-@@ -235,15 +235,17 @@ static int check_mem_permission(struct task_struct *task)
- struct mm_struct *mm_for_maps(struct task_struct *task)
- {
- struct mm_struct *mm;
-+ int err;
-
-- if (mutex_lock_killable(&task->cred_guard_mutex))
-- return NULL;
-+ err = mutex_lock_killable(&task->cred_guard_mutex);
-+ if (err)
-+ return ERR_PTR(err);
-
- mm = get_task_mm(task);
- if (mm && mm != current->mm &&
- !ptrace_may_access(task, PTRACE_MODE_READ)) {
- mmput(mm);
-- mm = NULL;
-+ mm = ERR_PTR(-EACCES);
+@@ -254,7 +254,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ if (!ptrace_may_attach(task) ||
+ mm != task->mm) {
+ mmput(mm);
+- mm = NULL;
++ mm = ERR_PTR(-EACCES);
+ }
}
- mutex_unlock(&task->cred_guard_mutex);
-
+ return mm;
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 6e7b065..e62af9b 100644
+index 56c00dc..e2dd752 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -114,11 +114,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)
@@ -51,7 +45,7 @@
down_read(&mm->mmap_sem);
tail_vma = get_gate_vma(priv->task);
-@@ -681,9 +681,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+@@ -662,9 +662,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!task)
goto out;
@@ -64,10 +58,10 @@
ret = -EINVAL;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
-index 8f5c05d..522c1e1 100644
+index 5b4a574..8ed6452 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
-@@ -181,13 +181,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+@@ -129,13 +129,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
/* pin the task and mm whilst we play with them */
priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Sep 1 03:57:52 2011 (r18038)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Sep 1 05:28:08 2011 (r18039)
@@ -13,3 +13,7 @@
+ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+ bugfix/all/net_sched-Fix-qdisc_notify.patch
+ bugfix/all/usb-misc-auerswald-overflow-fix.patch
++ bugfix/all/pagemap-close-races-with-suid-execve.patch
++ bugfix/all/proc-map-report-errors-sanely.patch
++ bugfix/all/close-race-in-proc-pid-environ.patch
++ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
More information about the Kernel-svn-changes
mailing list