[kernel] r19263 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jul 19 02:55:55 UTC 2012
Author: dannf
Date: Thu Jul 19 02:55:54 2012
New Revision: 19263
Log:
cred: copy_process() should clear child->replacement_session_keyring (CVE-2012-2745)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Thu Jul 19 02:55:49 2012 (r19262)
+++ dists/squeeze-security/linux-2.6/debian/changelog Thu Jul 19 02:55:54 2012 (r19263)
@@ -6,6 +6,8 @@
* hfsplus: Fix potential buffer overflows (CVE-2012-2319)
* hugetlb: fix resv_map leak in error path (CVE-2012-2390)
* mm: fix vma_resv_map() NULL pointer (CVE-2012-2390)
+ * cred: copy_process() should clear child->replacement_session_keyring
+ (CVE-2012-2745)
-- dann frazier <dannf at debian.org> Tue, 12 Jun 2012 16:56:29 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch Thu Jul 19 02:55:54 2012 (r19263)
@@ -0,0 +1,36 @@
+commit 79549c6dfda0603dba9a70a53467ce62d9335c33
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Apr 9 21:03:50 2012 +0200
+
+ cred: copy_process() should clear child->replacement_session_keyring
+
+ keyctl_session_to_parent(task) sets ->replacement_session_keyring,
+ it should be processed and cleared by key_replace_session_keyring().
+
+ However, this task can fork before it notices TIF_NOTIFY_RESUME and
+ the new child gets the bogus ->replacement_session_keyring copied by
+ dup_task_struct(). This is obviously wrong and, if nothing else, this
+ leads to put_cred(already_freed_cred).
+
+ change copy_creds() to clear this member. If copy_process() fails
+ before this point the wrong ->replacement_session_keyring doesn't
+ matter, exit_creds() won't be called.
+
+ Cc: <stable at vger.kernel.org>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: David Howells <dhowells at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/cred.c b/kernel/cred.c
+index 97b36ee..e70683d 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -386,6 +386,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
+ struct cred *new;
+ int ret;
+
++ p->replacement_session_keyring = NULL;
++
+ if (
+ #ifdef CONFIG_KEYS
+ !p->cred->thread_keyring &&
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Thu Jul 19 02:55:49 2012 (r19262)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Thu Jul 19 02:55:54 2012 (r19263)
@@ -4,3 +4,4 @@
+ bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
+ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
+ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
++ bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
More information about the Kernel-svn-changes
mailing list