[kernel] r18547 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jan 17 17:36:17 UTC 2012 

Author: dannf
Date: Tue Jan 17 17:36:14 2012
New Revision: 18547

Log:
futex: clear robust_list on execve (CVE-2012-0028)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/futex-nullify-robust-lists-after-cleanup.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/move-exit_robust_list-into-mm_release.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/27lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 16 15:14:34 2012	(r18546)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Jan 17 17:36:14 2012	(r18547)
@@ -3,6 +3,7 @@
   * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)
   * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
   * KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)
+  * futex: clear robust_list on execve (CVE-2012-0028)
 
  -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 21:15:07 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/futex-nullify-robust-lists-after-cleanup.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/futex-nullify-robust-lists-after-cleanup.patch	Tue Jan 17 17:36:14 2012	(r18547)
@@ -0,0 +1,41 @@
+futex: Nullify robust lists after cleanup
+
+The robust list pointers of user space held futexes are kept intact
+over an exec() call. When the exec'ed task exits exit_robust_list() is
+called with the stale pointer. The risk of corruption is minimal, but
+still it is incorrect to keep the pointers valid. Actually glibc
+should uninstall the robust list before calling exec() but we have to
+deal with it anyway.
+
+Nullify the pointers after [compat_]exit_robust_list() has been
+called.
+
+Reported-by: Anirban Sinha <ani at anirban.org>
+Signed-off-by: Peter Zijlstra <peterz at infradead.org>
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+LKML-Reference: <new-submission>
+Cc: stable at kernel.org
+[dannf: backported to Debian's 2.6.26]
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 3c8bf25..e92ae4e 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -493,11 +493,15 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm)
+ 
+ 	/* Get rid of any futexes when releasing the mm */
+ #ifdef CONFIG_FUTEX
+-	if (unlikely(tsk->robust_list))
++	if (unlikely(tsk->robust_list)) {
+ 		exit_robust_list(tsk);
++		tsk->robust_list = NULL;
++	}
+ #ifdef CONFIG_COMPAT
+-	if (unlikely(tsk->compat_robust_list))
++	if (unlikely(tsk->compat_robust_list)) {
+ 		compat_exit_robust_list(tsk);
++		tsk->compat_robust_list = NULL;
++	}
+ #endif
+ #endif
+ 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/move-exit_robust_list-into-mm_release.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/move-exit_robust_list-into-mm_release.patch	Tue Jan 17 17:36:14 2012	(r18547)
@@ -0,0 +1,78 @@
+Move "exit_robust_list" into mm_release()
+
+We don't want to get rid of the futexes just at exit() time, we want to
+drop them when doing an execve() too, since that gets rid of the
+previous VM image too.
+
+Doing it at mm_release() time means that we automatically always do it
+when we disassociate a VM map from the task.
+
+Reported-by: pageexec at freemail.hu
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Nick Piggin <npiggin at suse.de>
+Cc: Hugh Dickins <hugh at veritas.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Brad Spengler <spender at grsecurity.net>
+Cc: Alex Efros <powerman at powerman.name>
+Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[dannf: backported to Debian's 2.6.26]
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index ec900a7..470f778 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -39,7 +39,6 @@
+ #include <linux/cn_proc.h>
+ #include <linux/mutex.h>
+ #include <linux/futex.h>
+-#include <linux/compat.h>
+ #include <linux/pipe_fs_i.h>
+ #include <linux/audit.h> /* for audit_free() */
+ #include <linux/resource.h>
+@@ -1037,14 +1036,6 @@ NORET_TYPE void do_exit(long code)
+ 		exit_itimers(tsk->signal);
+ 	}
+ 	acct_collect(code, group_dead);
+-#ifdef CONFIG_FUTEX
+-	if (unlikely(tsk->robust_list))
+-		exit_robust_list(tsk);
+-#ifdef CONFIG_COMPAT
+-	if (unlikely(tsk->compat_robust_list))
+-		compat_exit_robust_list(tsk);
+-#endif
+-#endif
+ 	if (group_dead)
+ 		tty_audit_exit();
+ 	if (unlikely(tsk->audit_context))
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 4b3963a..3c8bf25 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -36,6 +36,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/jiffies.h>
+ #include <linux/futex.h>
++#include <linux/compat.h>
+ #include <linux/task_io_accounting_ops.h>
+ #include <linux/rcupdate.h>
+ #include <linux/ptrace.h>
+@@ -490,6 +491,16 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm)
+ {
+ 	struct completion *vfork_done = tsk->vfork_done;
+ 
++	/* Get rid of any futexes when releasing the mm */
++#ifdef CONFIG_FUTEX
++	if (unlikely(tsk->robust_list))
++		exit_robust_list(tsk);
++#ifdef CONFIG_COMPAT
++	if (unlikely(tsk->compat_robust_list))
++		compat_exit_robust_list(tsk);
++#endif
++#endif
++
+ 	/* Get rid of any cached register state */
+ 	deactivate_mm(tsk, mm);
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Mon Jan 16 15:14:34 2012	(r18546)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Tue Jan 17 17:36:14 2012	(r18547)
@@ -1,3 +1,5 @@
 + bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch
 + bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
 + bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
++ bugfix/all/move-exit_robust_list-into-mm_release.patch
++ bugfix/all/futex-nullify-robust-lists-after-cleanup.patch

More information about the Kernel-svn-changes mailing list