[kernel] r19592 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Sun Dec 9 19:41:58 UTC 2012 

Author: benh
Date: Sun Dec  9 19:41:58 2012
New Revision: 19592

Log:
kmod: make __request_module() killable (CVE-2012-4398)

Added:
   dists/sid/linux/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch
   dists/sid/linux/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch
   dists/sid/linux/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
   dists/sid/linux/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
   dists/sid/linux/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Sun Dec  9 19:12:04 2012	(r19591)
+++ dists/sid/linux/debian/changelog	Sun Dec  9 19:41:58 2012	(r19592)
@@ -95,6 +95,7 @@
     HP Folio 13-2000 (Closes: #692361)
   * [x86] KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set
     (CVE-2012-4461)
+  * kmod: make __request_module() killable (CVE-2012-4398)
 
   [ Ian Campbell ]
   * [xen] add support for microcode updating. (Closes: #693053)

Added: dists/sid/linux/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch	Sun Dec  9 19:41:58 2012	(r19592)
@@ -0,0 +1,69 @@
+From: Oleg Nesterov <oleg at redhat.com>
+Date: Fri, 23 Mar 2012 15:02:49 -0700
+Subject: [4/5] kmod: introduce call_modprobe() helper
+
+commit 3e63a93b987685f02421e18b2aa452d20553a88b upstream.
+
+No functional changes.  Move the call_usermodehelper code from
+__request_module() into the new simple helper, call_modprobe().
+
+Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Cc: Rusty Russell <rusty at rustcorp.com.au>
+Cc: Tejun Heo <tj at kernel.org>
+Cc: David Rientjes <rientjes at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/kmod.c |   24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 685b246..56a29e8 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -60,6 +60,21 @@ static DECLARE_RWSEM(umhelper_sem);
+ */
+ char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe";
+ 
++static int call_modprobe(char *module_name, int wait)
++{
++	static char *envp[] = {
++		"HOME=/",
++		"TERM=linux",
++		"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
++		NULL
++	};
++
++	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
++
++	return call_usermodehelper_fns(modprobe_path, argv, envp,
++					wait, NULL, NULL, NULL);
++}
++
+ /**
+  * __request_module - try to load a kernel module
+  * @wait: wait (or not) for the operation to complete
+@@ -81,11 +96,6 @@ int __request_module(bool wait, const char *fmt, ...)
+ 	char module_name[MODULE_NAME_LEN];
+ 	unsigned int max_modprobes;
+ 	int ret;
+-	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
+-	static char *envp[] = { "HOME=/",
+-				"TERM=linux",
+-				"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
+-				NULL };
+ 	static atomic_t kmod_concurrent = ATOMIC_INIT(0);
+ #define MAX_KMOD_CONCURRENT 50	/* Completely arbitrary value - KAO */
+ 	static int kmod_loop_msg;
+@@ -128,9 +138,7 @@ int __request_module(bool wait, const char *fmt, ...)
+ 
+ 	trace_module_request(module_name, wait, _RET_IP_);
+ 
+-	ret = call_usermodehelper_fns(modprobe_path, argv, envp,
+-			wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC,
+-			NULL, NULL, NULL);
++	ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
+ 
+ 	atomic_dec(&kmod_concurrent);
+ 	return ret;

Added: dists/sid/linux/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch	Sun Dec  9 19:41:58 2012	(r19592)
@@ -0,0 +1,78 @@
+From: Oleg Nesterov <oleg at redhat.com>
+Date: Fri, 23 Mar 2012 15:02:50 -0700
+Subject: [5/5] kmod: make __request_module() killable
+
+commit 1cc684ab75123efe7ff446eb821d44375ba8fa30 upstream.
+
+As Tetsuo Handa pointed out, request_module() can stress the system
+while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.
+
+The task T uses "almost all" memory, then it does something which
+triggers request_module().  Say, it can simply call sys_socket().  This
+in turn needs more memory and leads to OOM.  oom-killer correctly
+chooses T and kills it, but this can't help because it sleeps in
+TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the
+TIF_MEMDIE task T.
+
+Make __request_module() killable.  The only necessary change is that
+call_modprobe() should kmalloc argv and module_name, they can't live in
+the stack if we use UMH_KILLABLE.  This memory is freed via
+call_usermodehelper_freeinfo()->cleanup.
+
+Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+Cc: Rusty Russell <rusty at rustcorp.com.au>
+Cc: Tejun Heo <tj at kernel.org>
+Cc: David Rientjes <rientjes at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/kmod.c |   26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 56a29e8..957a7aa 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -60,6 +60,12 @@ static DECLARE_RWSEM(umhelper_sem);
+ */
+ char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe";
+ 
++static void free_modprobe_argv(struct subprocess_info *info)
++{
++	kfree(info->argv[3]); /* check call_modprobe() */
++	kfree(info->argv);
++}
++
+ static int call_modprobe(char *module_name, int wait)
+ {
+ 	static char *envp[] = {
+@@ -69,10 +75,26 @@ static int call_modprobe(char *module_name, int wait)
+ 		NULL
+ 	};
+ 
+-	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
++	char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
++	if (!argv)
++		goto out;
++
++	module_name = kstrdup(module_name, GFP_KERNEL);
++	if (!module_name)
++		goto free_argv;
++
++	argv[0] = modprobe_path;
++	argv[1] = "-q";
++	argv[2] = "--";
++	argv[3] = module_name;	/* check free_modprobe_argv() */
++	argv[4] = NULL;
+ 
+ 	return call_usermodehelper_fns(modprobe_path, argv, envp,
+-					wait, NULL, NULL, NULL);
++		wait | UMH_KILLABLE, NULL, free_modprobe_argv, NULL);
++free_argv:
++	kfree(argv);
++out:
++	return -ENOMEM;
+ }
+ 
+ /**

Added: dists/sid/linux/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch	Sun Dec  9 19:41:58 2012	(r19592)
@@ -0,0 +1,34 @@
+From: Oleg Nesterov <oleg at redhat.com>
+Date: Fri, 23 Mar 2012 15:02:49 -0700
+Subject: [3/5] usermodehelper: ____call_usermodehelper() doesn't need
+ do_exit()
+
+commit 5b9bd473e3b8a8c6c4ae99be475e6e9b27568555 upstream.
+
+Minor cleanup.  ____call_usermodehelper() can simply return, no need to
+call do_exit() explicitely.
+
+Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Cc: Rusty Russell <rusty at rustcorp.com.au>
+Cc: Tejun Heo <tj at kernel.org>
+Cc: David Rientjes <rientjes at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/kmod.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 8341de9..685b246 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -188,7 +188,7 @@ static int ____call_usermodehelper(void *data)
+ 	/* Exec failed? */
+ fail:
+ 	sub_info->retval = retval;
+-	do_exit(0);
++	return 0;
+ }
+ 
+ void call_usermodehelper_freeinfo(struct subprocess_info *info)

Added: dists/sid/linux/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch	Sun Dec  9 19:41:58 2012	(r19592)
@@ -0,0 +1,105 @@
+From: Oleg Nesterov <oleg at redhat.com>
+Date: Fri, 23 Mar 2012 15:02:47 -0700
+Subject: [2/5] usermodehelper: implement UMH_KILLABLE
+
+commit d0bd587a80960d7ba7e0c8396e154028c9045c54 upstream.
+
+Implement UMH_KILLABLE, should be used along with UMH_WAIT_EXEC/PROC.
+The caller must ensure that subprocess_info->path/etc can not go away
+until call_usermodehelper_freeinfo().
+
+call_usermodehelper_exec(UMH_KILLABLE) does
+wait_for_completion_killable.  If it fails, it uses
+xchg(&sub_info->complete, NULL) to serialize with umh_complete() which
+does the same xhcg() to access sub_info->complete.
+
+If call_usermodehelper_exec wins, it can safely return.  umh_complete()
+should get NULL and call call_usermodehelper_freeinfo().
+
+Otherwise we know that umh_complete() was already called, in this case
+call_usermodehelper_exec() falls back to wait_for_completion() which
+should succeed "very soon".
+
+Note: UMH_NO_WAIT == -1 but it obviously should not be used with
+UMH_KILLABLE.  We delay the neccessary cleanup to simplify the back
+porting.
+
+Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Cc: Rusty Russell <rusty at rustcorp.com.au>
+Cc: Tejun Heo <tj at kernel.org>
+Cc: David Rientjes <rientjes at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ include/linux/kmod.h |    2 ++
+ kernel/kmod.c        |   27 +++++++++++++++++++++++++--
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/kmod.h b/include/linux/kmod.h
+index 722f477..1b598585 100644
+--- a/include/linux/kmod.h
++++ b/include/linux/kmod.h
+@@ -54,6 +54,8 @@ enum umh_wait {
+ 	UMH_WAIT_PROC = 1,	/* wait for the process to complete */
+ };
+ 
++#define UMH_KILLABLE	4	/* wait for EXEC/PROC killable */
++
+ struct subprocess_info {
+ 	struct work_struct work;
+ 	struct completion *complete;
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 8ea2594..f92f917 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -201,7 +201,15 @@ EXPORT_SYMBOL(call_usermodehelper_freeinfo);
+ 
+ static void umh_complete(struct subprocess_info *sub_info)
+ {
+-	complete(sub_info->complete);
++	struct completion *comp = xchg(&sub_info->complete, NULL);
++	/*
++	 * See call_usermodehelper_exec(). If xchg() returns NULL
++	 * we own sub_info, the UMH_KILLABLE caller has gone away.
++	 */
++	if (comp)
++		complete(comp);
++	else
++		call_usermodehelper_freeinfo(sub_info);
+ }
+ 
+ /* Keventd can't block, but this (a child) can. */
+@@ -252,6 +260,9 @@ static void __call_usermodehelper(struct work_struct *work)
+ 	enum umh_wait wait = sub_info->wait;
+ 	pid_t pid;
+ 
++	if (wait != UMH_NO_WAIT)
++		wait &= ~UMH_KILLABLE;
++
+ 	/* CLONE_VFORK: wait until the usermode helper has execve'd
+ 	 * successfully We need the data structures to stay around
+ 	 * until that is done.  */
+@@ -461,9 +472,21 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info,
+ 	queue_work(khelper_wq, &sub_info->work);
+ 	if (wait == UMH_NO_WAIT)	/* task has freed sub_info */
+ 		goto unlock;
++
++	if (wait & UMH_KILLABLE) {
++		retval = wait_for_completion_killable(&done);
++		if (!retval)
++			goto wait_done;
++
++		/* umh_complete() will see NULL and free sub_info */
++		if (xchg(&sub_info->complete, NULL))
++			goto unlock;
++		/* fallthrough, umh_complete() was already called */
++	}
++
+ 	wait_for_completion(&done);
++wait_done:
+ 	retval = sub_info->retval;
+-
+ out:
+ 	call_usermodehelper_freeinfo(sub_info);
+ unlock:

Added: dists/sid/linux/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch	Sun Dec  9 19:41:58 2012	(r19592)
@@ -0,0 +1,54 @@
+From: Oleg Nesterov <oleg at redhat.com>
+Date: Fri, 23 Mar 2012 15:02:47 -0700
+Subject: [1/5] usermodehelper: introduce umh_complete(sub_info)
+
+commit b3449922502f5a161ee2b5022a33aec8472fbf18 upstream.
+
+Preparation.  Add the new trivial helper, umh_complete().  Currently it
+simply does complete(sub_info->complete).
+
+Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Cc: Rusty Russell <rusty at rustcorp.com.au>
+Cc: Tejun Heo <tj at kernel.org>
+Cc: David Rientjes <rientjes at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/kmod.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index a0a8854..8ea2594 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -199,6 +199,11 @@ void call_usermodehelper_freeinfo(struct subprocess_info *info)
+ }
+ EXPORT_SYMBOL(call_usermodehelper_freeinfo);
+ 
++static void umh_complete(struct subprocess_info *sub_info)
++{
++	complete(sub_info->complete);
++}
++
+ /* Keventd can't block, but this (a child) can. */
+ static int wait_for_helper(void *data)
+ {
+@@ -235,7 +240,7 @@ static int wait_for_helper(void *data)
+ 			sub_info->retval = ret;
+ 	}
+ 
+-	complete(sub_info->complete);
++	umh_complete(sub_info);
+ 	return 0;
+ }
+ 
+@@ -269,7 +274,7 @@ static void __call_usermodehelper(struct work_struct *work)
+ 	case UMH_WAIT_EXEC:
+ 		if (pid < 0)
+ 			sub_info->retval = pid;
+-		complete(sub_info->complete);
++		umh_complete(sub_info);
+ 	}
+ }
+ 

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Sun Dec  9 19:12:04 2012	(r19591)
+++ dists/sid/linux/debian/patches/series	Sun Dec  9 19:41:58 2012	(r19592)
@@ -423,3 +423,8 @@
 
 bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch
 bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch
+bugfix/all/usermodehelper-introduce-umh_complete.patch
+bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
+bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
+bugfix/all/kmod-introduce-call_modprobe-helper.patch
+bugfix/all/kmod-make-__request_module-killable.patch

More information about the Kernel-svn-changes mailing list