add patches for CVE-2011-1593

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

3 files changed, 116 insertions, 0 deletions

diff --git a/queue/next_pidmap-fix-overflow-condition.patch b/queue/next_pidmap-fix-overflow-condition.patch
new file mode 100644
index 0000000..428a410
--- /dev/null
+++ b/queue/next_pidmap-fix-overflow-condition.patch
@@ -0,0 +1,69 @@
+From 249fe00b6399e3a37dfda794e440987b2ee12576 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 18 Apr 2011 10:35:30 -0700
+Subject: [PATCH] next_pidmap: fix overflow condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream.
+
+next_pidmap() just quietly accepted whatever 'last' pid that was passed
+in, which is not all that safe when one of the users is /proc.
+
+Admittedly the proc code should do some sanity checking on the range
+(and that will be the next commit), but that doesn't mean that the
+helper functions should just do that pidmap pointer arithmetic without
+checking the range of its arguments.
+
+So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
+doesn't really matter, the for-loop does check against the end of the
+pidmap array properly (it's only the actual pointer arithmetic overflow
+case we need to worry about, and going one bit beyond isn't going to
+overflow).
+
+[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
+
+Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
+Analyzed-by: Robert Święcki <robert@swiecki.net>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/include/linux/pid.h b/include/linux/pid.h
+index 49f1c2f..ec9f2df 100644
+--- a/include/linux/pid.h
++++ b/include/linux/pid.h
+@@ -117,7 +117,7 @@ extern struct pid *find_vpid(int nr);
+  */
+ extern struct pid *find_get_pid(int nr);
+ extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
+-int next_pidmap(struct pid_namespace *pid_ns, int last);
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
+ 
+ extern struct pid *alloc_pid(struct pid_namespace *ns);
+ extern void free_pid(struct pid *pid);
+diff --git a/kernel/pid.c b/kernel/pid.c
+index aebb30d..af8dbf7 100644
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -183,11 +183,14 @@ static int alloc_pidmap(struct pid_namespace *pid_ns)
+ 	return -1;
+ }
+ 
+-int next_pidmap(struct pid_namespace *pid_ns, int last)
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
+ {
+ 	int offset;
+ 	struct pidmap *map, *end;
+ 
++	if (last >= PID_MAX_LIMIT)
++		return -1;
++
+ 	offset = (last + 1) & BITS_PER_PAGE_MASK;
+ 	map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
+ 	end = &pid_ns->pidmap[PIDMAP_ENTRIES];
+-- 
+1.7.4.4
+
diff --git a/queue/proc-do-proper-range-check-on-readdir-offset.patch b/queue/proc-do-proper-range-check-on-readdir-offset.patch
new file mode 100644
index 0000000..1346062
--- /dev/null
+++ b/queue/proc-do-proper-range-check-on-readdir-offset.patch
@@ -0,0 +1,41 @@
+From 1ee957483ba1e383e7eb511ac500febc8f020968 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 18 Apr 2011 10:36:54 -0700
+Subject: [PATCH] proc: do proper range check on readdir offset
+
+commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream.
+
+Rather than pass in some random truncated offset to the pid-related
+functions, check that the offset is in range up-front.
+
+This is just cleanup, the previous commit fixed the real problem.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 8418fcc..268f00d 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2871,11 +2871,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
+ /* for the /proc/ directory itself, after non-process stuff has been done */
+ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
+ {
+-	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+-	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++	unsigned int nr;
++	struct task_struct *reaper;
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
+ 
++	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
++		goto out_no_task;
++	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
++
++	reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ 	if (!reaper)
+ 		goto out_no_task;
+ 
+-- 
+1.7.4.4
+
diff --git a/queue/series b/queue/series
index 4d07ebe..28302b0 100644
--- a/queue/series
+++ b/queue/series
@@ -3,3 +3,9 @@ xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch
 PCI-hotplug-acpiphp-set-current_state-to-D0-in-regis.patch
 shmem-let-shared-anonymous-be-nonlinear-again.patch
 aio-wake-all-waiters-when-destroying-ctx.patch
+
+# Content taken from v2.6.32.39
+
+# Content taken from v2.6.32.40
+next_pidmap-fix-overflow-condition.patch
+proc-do-proper-range-check-on-readdir-offset.patch