diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-26 15:28:25 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-26 15:28:25 -0400 |
commit | ad9b522b29e813b29676de16a24cdcc90720e2d0 (patch) | |
tree | e5526700c7b7623ab0a407218ab1d8a98f7a968b | |
parent | 1302cafb4809a85bd0072fc47f9a3d597c585b64 (diff) | |
download | longterm-queue-2.6.34-ad9b522b29e813b29676de16a24cdcc90720e2d0.tar.gz |
add patches for CVE-2011-1593
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/next_pidmap-fix-overflow-condition.patch | 69 | ||||
-rw-r--r-- | queue/proc-do-proper-range-check-on-readdir-offset.patch | 41 | ||||
-rw-r--r-- | queue/series | 6 |
3 files changed, 116 insertions, 0 deletions
diff --git a/queue/next_pidmap-fix-overflow-condition.patch b/queue/next_pidmap-fix-overflow-condition.patch new file mode 100644 index 0000000..428a410 --- /dev/null +++ b/queue/next_pidmap-fix-overflow-condition.patch @@ -0,0 +1,69 @@ +From 249fe00b6399e3a37dfda794e440987b2ee12576 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Mon, 18 Apr 2011 10:35:30 -0700 +Subject: [PATCH] next_pidmap: fix overflow condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream. + +next_pidmap() just quietly accepted whatever 'last' pid that was passed +in, which is not all that safe when one of the users is /proc. + +Admittedly the proc code should do some sanity checking on the range +(and that will be the next commit), but that doesn't mean that the +helper functions should just do that pidmap pointer arithmetic without +checking the range of its arguments. + +So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1" +doesn't really matter, the for-loop does check against the end of the +pidmap array properly (it's only the actual pointer arithmetic overflow +case we need to worry about, and going one bit beyond isn't going to +overflow). + +[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ] + +Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> +Analyzed-by: Robert Święcki <robert@swiecki.net> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Cc: Pavel Emelyanov <xemul@openvz.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/include/linux/pid.h b/include/linux/pid.h +index 49f1c2f..ec9f2df 100644 +--- a/include/linux/pid.h ++++ b/include/linux/pid.h +@@ -117,7 +117,7 @@ extern struct pid *find_vpid(int nr); + */ + extern struct pid *find_get_pid(int nr); + extern struct pid *find_ge_pid(int nr, struct pid_namespace *); +-int next_pidmap(struct pid_namespace *pid_ns, int last); ++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last); + + extern struct pid *alloc_pid(struct pid_namespace *ns); + extern void free_pid(struct pid *pid); +diff --git a/kernel/pid.c b/kernel/pid.c +index aebb30d..af8dbf7 100644 +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -183,11 +183,14 @@ static int alloc_pidmap(struct pid_namespace *pid_ns) + return -1; + } + +-int next_pidmap(struct pid_namespace *pid_ns, int last) ++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last) + { + int offset; + struct pidmap *map, *end; + ++ if (last >= PID_MAX_LIMIT) ++ return -1; ++ + offset = (last + 1) & BITS_PER_PAGE_MASK; + map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE]; + end = &pid_ns->pidmap[PIDMAP_ENTRIES]; +-- +1.7.4.4 + diff --git a/queue/proc-do-proper-range-check-on-readdir-offset.patch b/queue/proc-do-proper-range-check-on-readdir-offset.patch new file mode 100644 index 0000000..1346062 --- /dev/null +++ b/queue/proc-do-proper-range-check-on-readdir-offset.patch @@ -0,0 +1,41 @@ +From 1ee957483ba1e383e7eb511ac500febc8f020968 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Mon, 18 Apr 2011 10:36:54 -0700 +Subject: [PATCH] proc: do proper range check on readdir offset + +commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream. + +Rather than pass in some random truncated offset to the pid-related +functions, check that the offset is in range up-front. + +This is just cleanup, the previous commit fixed the real problem. + +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 8418fcc..268f00d 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2871,11 +2871,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi + /* for the /proc/ directory itself, after non-process stuff has been done */ + int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) + { +- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; +- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); ++ unsigned int nr; ++ struct task_struct *reaper; + struct tgid_iter iter; + struct pid_namespace *ns; + ++ if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) ++ goto out_no_task; ++ nr = filp->f_pos - FIRST_PROCESS_ENTRY; ++ ++ reaper = get_proc_task(filp->f_path.dentry->d_inode); + if (!reaper) + goto out_no_task; + +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index 4d07ebe..28302b0 100644 --- a/queue/series +++ b/queue/series @@ -3,3 +3,9 @@ xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch shmem-let-shared-anonymous-be-nonlinear-again.patch aio-wake-all-waiters-when-destroying-ctx.patch + +# Content taken from v2.6.32.39 + +# Content taken from v2.6.32.40 +next_pidmap-fix-overflow-condition.patch +proc-do-proper-range-check-on-readdir-offset.patch |