[kernel/f15] CVE-2011-2905 perf tools may parse user-controlled config file. (rhbz 729809)
Dave Jones
davej at fedoraproject.org
Mon Aug 15 16:43:32 UTC 2011
commit 6c34be7b202ba315ae57a0753b4084e67f684f16
Author: Dave Jones <davej at redhat.com>
Date: Mon Aug 15 12:43:15 2011 -0400
CVE-2011-2905 perf tools may parse user-controlled config file. (rhbz 729809)
CVE-2011-2905.patch | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 116 insertions(+), 0 deletions(-)
---
diff --git a/CVE-2011-2905.patch b/CVE-2011-2905.patch
new file mode 100644
index 0000000..0c7c288
--- /dev/null
+++ b/CVE-2011-2905.patch
@@ -0,0 +1,116 @@
+commit aba8d056078e47350d85b06a9cabd5afcc4b72ea
+Author: Jonathan Nieder <jrnieder at gmail.com>
+Date: Fri Aug 5 18:58:38 2011 +0200
+
+ perf tools: do not look at ./config for configuration
+
+ In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for
+ configuration in the file ./config, imitating git which looks at
+ $GIT_DIR/config. If ./config is not a perf configuration file, it
+ fails, or worse, treats it as a configuration file and changes behavior
+ in some unexpected way.
+
+ "config" is not an unusual name for a file to be lying around and perf
+ does not have a private directory dedicated for its own use, so let's
+ just stop looking for configuration in the cwd. Callers needing
+ context-sensitive configuration can use the PERF_CONFIG environment
+ variable.
+
+ Requested-by: Christian Ohm <chr.ohm at gmx.net>
+ Cc: 632923 at bugs.debian.org
+ Cc: Ben Hutchings <ben at decadent.org.uk>
+ Cc: Christian Ohm <chr.ohm at gmx.net>
+ Cc: Ingo Molnar <mingo at elte.hu>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
+ Link: http://lkml.kernel.org/r/20110805165838.GA7237@elie.gateway.2wire.net
+ Signed-off-by: Jonathan Nieder <jrnieder at gmail.com>
+ Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+
+diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
+index e02d78c..6c86eca 100644
+--- a/tools/perf/util/config.c
++++ b/tools/perf/util/config.c
+@@ -399,7 +399,6 @@ static int perf_config_global(void)
+ int perf_config(config_fn_t fn, void *data)
+ {
+ int ret = 0, found = 0;
+- char *repo_config = NULL;
+ const char *home = NULL;
+
+ /* Setting $PERF_CONFIG makes perf read _only_ the given config file. */
+@@ -421,12 +420,6 @@ int perf_config(config_fn_t fn, void *data)
+ free(user_config);
+ }
+
+- repo_config = perf_pathdup("config");
+- if (!access(repo_config, R_OK)) {
+- ret += perf_config_from_file(fn, repo_config, data);
+- found += 1;
+- }
+- free(repo_config);
+ if (found == 0)
+ return -1;
+ return ret;
+commit 069e3725dd9be3b759a98e8c80ac5fc38b392b23
+Author: Arnaldo Carvalho de Melo <acme at redhat.com>
+Date: Tue Aug 9 12:42:13 2011 -0300
+
+ perf tools: Check $HOME/.perfconfig ownership
+
+ Just like we do already for perf.data files.
+
+ Requested-by: Ingo Molnar <mingo at elte.hu>
+ Cc: Ben Hutchings <ben at decadent.org.uk>
+ Cc: Christian Ohm <chr.ohm at gmx.net>
+ Cc: David Ahern <dsahern at gmail.com>
+ Cc: Frederic Weisbecker <fweisbec at gmail.com>
+ Cc: Jonathan Nieder <jrnieder at gmail.com>
+ Cc: Mike Galbraith <efault at gmx.de>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Peter Zijlstra <peterz at infradead.org>
+ Cc: Stephane Eranian <eranian at google.com>
+ Link: http://lkml.kernel.org/n/tip-qgokmxsmvppwpc5404qhyk7e@git.kernel.org
+ Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+
+diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
+index 6c86eca..fe02903 100644
+--- a/tools/perf/util/config.c
++++ b/tools/perf/util/config.c
+@@ -413,13 +413,32 @@ int perf_config(config_fn_t fn, void *data)
+ home = getenv("HOME");
+ if (perf_config_global() && home) {
+ char *user_config = strdup(mkpath("%s/.perfconfig", home));
+- if (!access(user_config, R_OK)) {
+- ret += perf_config_from_file(fn, user_config, data);
+- found += 1;
++ struct stat st;
++
++ if (user_config == NULL) {
++ warning("Not enough memory to process %s/.perfconfig, "
++ "ignoring it.", home);
++ goto out;
++ }
++
++ if (stat(user_config, &st) < 0)
++ goto out_free;
++
++ if (st.st_uid && (st.st_uid != geteuid())) {
++ warning("File %s not owned by current user or root, "
++ "ignoring it.", user_config);
++ goto out_free;
+ }
++
++ if (!st.st_size)
++ goto out_free;
++
++ ret += perf_config_from_file(fn, user_config, data);
++ found += 1;
++out_free:
+ free(user_config);
+ }
+-
++out:
+ if (found == 0)
+ return -1;
+ return ret;
More information about the scm-commits
mailing list