[kernel] r19456 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Oct 23 04:24:42 UTC 2012 

Author: dannf
Date: Tue Oct 23 04:24:37 2012
New Revision: 19456

Log:
kmod: make __request_module() killable (CVE-2012-4398)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Tue Oct 23 01:32:09 2012	(r19455)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Oct 23 04:24:37 2012	(r19456)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-46squeeze1) UNRELEASED; urgency=high
+
+  * kmod: make __request_module() killable (CVE-2012-4398)
+
+ -- dann frazier <dannf at debian.org>  Mon, 22 Oct 2012 20:34:13 -0500
+
 linux-2.6 (2.6.32-46) stable; urgency=high
 
   [ Bastian Blank ]

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-introduce-call_modprobe-helper.patch	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,64 @@
+commit 3e63a93b987685f02421e18b2aa452d20553a88b
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Mar 23 15:02:49 2012 -0700
+
+    kmod: introduce call_modprobe() helper
+    
+    No functional changes.  Move the call_usermodehelper code from
+    __request_module() into the new simple helper, call_modprobe().
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+    Cc: Rusty Russell <rusty at rustcorp.com.au>
+    Cc: Tejun Heo <tj at kernel.org>
+    Cc: David Rientjes <rientjes at google.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 8ed592b..09e10c3 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -50,6 +50,18 @@ static struct workqueue_struct *khelper_wq;
+ */
+ char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe";
+ 
++static int call_modprobe(char *module_name, int wait)
++{
++	static char *envp[] = { "HOME=/",
++				"TERM=linux",
++				"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
++				NULL };
++
++	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
++
++	return call_usermodehelper(modprobe_path, argv, envp, wait);
++}
++
+ /**
+  * __request_module - try to load a kernel module
+  * @wait: wait (or not) for the operation to complete
+@@ -71,11 +83,6 @@ int __request_module(bool wait, const char *fmt, ...)
+ 	char module_name[MODULE_NAME_LEN];
+ 	unsigned int max_modprobes;
+ 	int ret;
+-	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
+-	static char *envp[] = { "HOME=/",
+-				"TERM=linux",
+-				"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
+-				NULL };
+ 	static atomic_t kmod_concurrent = ATOMIC_INIT(0);
+ #define MAX_KMOD_CONCURRENT 50	/* Completely arbitrary value - KAO */
+ 	static int kmod_loop_msg;
+@@ -118,8 +125,8 @@ int __request_module(bool wait, const char *fmt, ...)
+ 
+ 	trace_module_request(module_name, wait, _RET_IP_);
+ 
+-	ret = call_usermodehelper(modprobe_path, argv, envp,
+-			wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
++	ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
++
+ 	atomic_dec(&kmod_concurrent);
+ 	return ret;
+ }

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kmod-make-__request_module-killable.patch	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,82 @@
+commit 1cc684ab75123efe7ff446eb821d44375ba8fa30
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Mar 23 15:02:50 2012 -0700
+
+    kmod: make __request_module() killable
+    
+    As Tetsuo Handa pointed out, request_module() can stress the system
+    while the oom-killed caller sleeps in TASK_UNINTERRUPTIBLE.
+    
+    The task T uses "almost all" memory, then it does something which
+    triggers request_module().  Say, it can simply call sys_socket().  This
+    in turn needs more memory and leads to OOM.  oom-killer correctly
+    chooses T and kills it, but this can't help because it sleeps in
+    TASK_UNINTERRUPTIBLE and after that oom-killer becomes "disabled" by the
+    TIF_MEMDIE task T.
+    
+    Make __request_module() killable.  The only necessary change is that
+    call_modprobe() should kmalloc argv and module_name, they can't live in
+    the stack if we use UMH_KILLABLE.  This memory is freed via
+    call_usermodehelper_freeinfo()->cleanup.
+    
+    Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Rusty Russell <rusty at rustcorp.com.au>
+    Cc: Tejun Heo <tj at kernel.org>
+    Cc: David Rientjes <rientjes at google.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 09e10c3..553ce09 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -50,16 +50,45 @@ static struct workqueue_struct *khelper_wq;
+ */
+ char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe";
+ 
++static void free_modprobe_argv(char **argv, char **envp)
++{
++        kfree(argv);
++}
++
+ static int call_modprobe(char *module_name, int wait)
+ {
+ 	static char *envp[] = { "HOME=/",
+ 				"TERM=linux",
+ 				"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
+ 				NULL };
++	struct subprocess_info *info;
++
++	char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
++	if (!argv)
++		goto out;
+ 
+-	char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
++	module_name = kstrdup(module_name, GFP_KERNEL);
++	if (!module_name)
++		goto free_argv;
+ 
+-	return call_usermodehelper(modprobe_path, argv, envp, wait);
++	argv[0] = modprobe_path;
++	argv[1] = "-q";
++	argv[2] = "--";
++	argv[3] = module_name;	/* check free_modprobe_argv() */
++	argv[4] = NULL;
++
++	info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC);
++	if (!info)
++		goto free_argv;
++
++	call_usermodehelper_setcleanup(info, free_modprobe_argv);
++
++	return call_usermodehelper_exec(info, wait | UMH_KILLABLE);
++
++free_argv:
++	kfree(argv);
++out:
++	return -ENOMEM;
+ }
+ 
+ /**

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,31 @@
+commit 5b9bd473e3b8a8c6c4ae99be475e6e9b27568555
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Mar 23 15:02:49 2012 -0700
+
+    usermodehelper: ____call_usermodehelper() doesn't need do_exit()
+    
+    Minor cleanup.  ____call_usermodehelper() can simply return, no need to
+    call do_exit() explicitely.
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+    Cc: Rusty Russell <rusty at rustcorp.com.au>
+    Cc: Tejun Heo <tj at kernel.org>
+    Cc: David Rientjes <rientjes at google.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: adjusted to apply to Debian's 2.6.32]
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 0c775dc..8ed592b 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -190,7 +190,7 @@ static int ____call_usermodehelper(void *data)
+ 
+ 	/* Exec failed? */
+ 	sub_info->retval = retval;
+-	do_exit(0);
++	return 0;
+ }
+ 
+ void call_usermodehelper_freeinfo(struct subprocess_info *info)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,102 @@
+commit d0bd587a80960d7ba7e0c8396e154028c9045c54
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Mar 23 15:02:47 2012 -0700
+
+    usermodehelper: implement UMH_KILLABLE
+    
+    Implement UMH_KILLABLE, should be used along with UMH_WAIT_EXEC/PROC.
+    The caller must ensure that subprocess_info->path/etc can not go away
+    until call_usermodehelper_freeinfo().
+    
+    call_usermodehelper_exec(UMH_KILLABLE) does
+    wait_for_completion_killable.  If it fails, it uses
+    xchg(&sub_info->complete, NULL) to serialize with umh_complete() which
+    does the same xhcg() to access sub_info->complete.
+    
+    If call_usermodehelper_exec wins, it can safely return.  umh_complete()
+    should get NULL and call call_usermodehelper_freeinfo().
+    
+    Otherwise we know that umh_complete() was already called, in this case
+    call_usermodehelper_exec() falls back to wait_for_completion() which
+    should succeed "very soon".
+    
+    Note: UMH_NO_WAIT == -1 but it obviously should not be used with
+    UMH_KILLABLE.  We delay the neccessary cleanup to simplify the back
+    porting.
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+    Cc: Rusty Russell <rusty at rustcorp.com.au>
+    Cc: Tejun Heo <tj at kernel.org>
+    Cc: David Rientjes <rientjes at google.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/include/linux/kmod.h b/include/linux/kmod.h
+index 384ca8b..4b2026f 100644
+--- a/include/linux/kmod.h
++++ b/include/linux/kmod.h
+@@ -64,6 +64,8 @@ enum umh_wait {
+ 	UMH_WAIT_PROC = 1,	/* wait for the process to complete */
+ };
+ 
++#define UMH_KILLABLE	4	/* wait for EXEC/PROC killable */
++
+ /* Actually execute the sub-process */
+ int call_usermodehelper_exec(struct subprocess_info *info, enum umh_wait wait);
+ 
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index c6059c4..0c775dc 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -205,7 +205,15 @@ EXPORT_SYMBOL(call_usermodehelper_freeinfo);
+ 
+ static void umh_complete(struct subprocess_info *sub_info)
+ {
+-	complete(sub_info->complete);
++	struct completion *comp = xchg(&sub_info->complete, NULL);
++	/*
++	 * See call_usermodehelper_exec(). If xchg() returns NULL
++	 * we own sub_info, the UMH_KILLABLE caller has gone away.
++	 */
++	if (comp)
++		complete(comp);
++	else
++		call_usermodehelper_freeinfo(sub_info);
+ }
+ 
+ /* Keventd can't block, but this (a child) can. */
+@@ -261,6 +269,9 @@ static void __call_usermodehelper(struct work_struct *work)
+ 
+ 	BUG_ON(atomic_read(&sub_info->cred->usage) != 1);
+ 
++	if (wait != UMH_NO_WAIT)
++		wait &= ~UMH_KILLABLE;
++
+ 	/* CLONE_VFORK: wait until the usermode helper has execve'd
+ 	 * successfully We need the data structures to stay around
+ 	 * until that is done.  */
+@@ -494,9 +505,21 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info,
+ 	queue_work(khelper_wq, &sub_info->work);
+ 	if (wait == UMH_NO_WAIT)	/* task has freed sub_info */
+ 		goto unlock;
++
++	if (wait & UMH_KILLABLE) {
++		retval = wait_for_completion_killable(&done);
++		if (!retval)
++			goto wait_done;
++
++		/* umh_complete() will see NULL and free sub_info */
++		if (xchg(&sub_info->complete, NULL))
++			goto unlock;
++		/* fallthrough, umh_complete() was already called */
++	}
++
+ 	wait_for_completion(&done);
++wait_done:
+ 	retval = sub_info->retval;
+-
+ out:
+ 	call_usermodehelper_freeinfo(sub_info);
+ unlock:

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/usermodehelper-introduce-umh_complete.patch	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,52 @@
+commit b3449922502f5a161ee2b5022a33aec8472fbf18
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Mar 23 15:02:47 2012 -0700
+
+    usermodehelper: introduce umh_complete(sub_info)
+    
+    Preparation.  Add the new trivial helper, umh_complete().  Currently it
+    simply does complete(sub_info->complete).
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+    Cc: Rusty Russell <rusty at rustcorp.com.au>
+    Cc: Tejun Heo <tj at kernel.org>
+    Cc: David Rientjes <rientjes at google.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index d206078..c6059c4 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -203,6 +203,11 @@ void call_usermodehelper_freeinfo(struct subprocess_info *info)
+ }
+ EXPORT_SYMBOL(call_usermodehelper_freeinfo);
+ 
++static void umh_complete(struct subprocess_info *sub_info)
++{
++	complete(sub_info->complete);
++}
++
+ /* Keventd can't block, but this (a child) can. */
+ static int wait_for_helper(void *data)
+ {
+@@ -242,7 +247,7 @@ static int wait_for_helper(void *data)
+ 	if (sub_info->wait == UMH_NO_WAIT)
+ 		call_usermodehelper_freeinfo(sub_info);
+ 	else
+-		complete(sub_info->complete);
++		umh_complete(sub_info);
+ 	return 0;
+ }
+ 
+@@ -277,7 +282,7 @@ static void __call_usermodehelper(struct work_struct *work)
+ 		/* FALLTHROUGH */
+ 
+ 	case UMH_WAIT_EXEC:
+-		complete(sub_info->complete);
++		umh_complete(sub_info);
+ 	}
+ }
+ 

Added: dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1	Tue Oct 23 04:24:37 2012	(r19456)
@@ -0,0 +1,5 @@
++ bugfix/all/usermodehelper-introduce-umh_complete.patch
++ bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
++ bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
++ bugfix/all/kmod-introduce-call_modprobe-helper.patch
++ bugfix/all/kmod-make-__request_module-killable.patch

More information about the Kernel-svn-changes mailing list