[kernel] r19968 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Tue Apr 2 04:39:19 UTC 2013


Author: benh
Date: Tue Apr  2 04:38:50 2013
New Revision: 19968

Log:
ptrace: Fix ptrace when task is in task_is_stopped() state (regression in 2.6.32-48squeeze1) (Closes: #704437)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fix-ptrace-when-task-is-in-task_is_stopped-state.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Apr  1 01:24:44 2013	(r19967)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Apr  2 04:38:50 2013	(r19968)
@@ -1,8 +1,13 @@
 linux-2.6 (2.6.32-48squeeze2) UNRELEASED; urgency=high
 
+  [ dann frazier ]
   * USB: io_ti: Fix NULL dereference in chase_port() (CVE-2013-1774)
   * keys: fix race with concurrent install_user_keyrings() (CVE-2013-1792)
 
+  [ Ben Hutchings ]
+  * ptrace: Fix ptrace when task is in task_is_stopped() state
+    (regression in 2.6.32-48squeeze1) (Closes: #704437)
+
  -- dann frazier <dannf at dannf.org>  Mon, 11 Mar 2013 08:47:43 +0100
 
 linux-2.6 (2.6.32-48squeeze1) stable-security; urgency=high

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fix-ptrace-when-task-is-in-task_is_stopped-state.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fix-ptrace-when-task-is-in-task_is_stopped-state.patch	Tue Apr  2 04:38:50 2013	(r19968)
@@ -0,0 +1,68 @@
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 21 Mar 2013 05:04:13 -0700
+Subject: UBUNTU: SAUCE: Fix ptrace when task is in task_is_stopped() state
+
+This patch fixes a regression in ptrace, introduced by commit 9e74eb39
+(backport of 9899d11f) which makes assumptions about ptrace behavior
+which are not true in the 2.6.32 kernel.
+
+BugLink: http://bugs.launchpad.net/bugs/1145234
+
+9899d11f makes the assumption that task_is_stopped() is not a valid state
+in ptrace because it is built on top of a series of patches which change
+how the TASK_STOPPED state is tracked (321fb561 which requires d79fdd6d
+and several other patches).
+
+Because Lucid does not have the set of patches that make task_is_stopped()
+an invalid state in ptrace_check_attach, partially revert 9e74eb39 so
+that ptrace_check_attach() correctly handles task_is_stopped(). However
+we must replace the assignment of TASK_TRACED with __TASK_TRACED to
+ensure TASK_WAKEKILL is cleared.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+[bwh: The same applies to squeeze, as we also have 2.6.32.y and the
+ Ubuntu-originated fix for CVE-2013-0871]
+---
+ kernel/ptrace.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index d0036f0..d9c8c47 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -81,14 +81,18 @@ void __ptrace_unlink(struct task_struct *child)
+ }
+ 
+ /* Ensure that nothing can wake it up, even SIGKILL */
+-static bool ptrace_freeze_traced(struct task_struct *task)
++static bool ptrace_freeze_traced(struct task_struct *task, int kill)
+ {
+-	bool ret = false;
++	bool ret = true;
+ 
+ 	spin_lock_irq(&task->sighand->siglock);
+-	if (task_is_traced(task) && !__fatal_signal_pending(task)) {
++	if (task_is_stopped(task) && !__fatal_signal_pending(task))
+ 		task->state = __TASK_TRACED;
+-		ret = true;
++	else if (!kill) {
++		if (task_is_traced(task) && !__fatal_signal_pending(task))
++			task->state = __TASK_TRACED;
++		else
++			ret = false;
+ 	}
+ 	spin_unlock_irq(&task->sighand->siglock);
+ 
+@@ -131,7 +135,7 @@ int ptrace_check_attach(struct task_struct *child, int kill)
+ 		 * child->sighand can't be NULL, release_task()
+ 		 * does ptrace_unlink() before __exit_signal().
+ 		 */
+-		if (kill || ptrace_freeze_traced(child))
++		if (ptrace_freeze_traced(child, kill))
+ 			ret = 0;
+ 	}
+ 	read_unlock(&tasklist_lock);
+-- 
+1.8.1.2
+
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Mon Apr  1 01:24:44 2013	(r19967)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Tue Apr  2 04:38:50 2013	(r19968)
@@ -1,2 +1,3 @@
 + bugfix/all/USB-io_ti-Fix-Null-dereference-in-chase-port.patch
 + bugfix/all/keys-fix-race-with-concurrent-install_user_keyrings.patch
++ bugfix/all/fix-ptrace-when-task-is-in-task_is_stopped-state.patch



More information about the Kernel-svn-changes mailing list