rpms/kernel/F-11 mm_for_maps-shift-down_read-to-the-caller.patch, NONE, 1.1.2.1 mm_for_maps-simplify-use-ptrace_may_access.patch, NONE, 1.1.2.1 mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch, NONE, 1.1.2.1 kernel.spec, 1.1679.2.15, 1.1679.2.16
Chuck Ebbert
cebbert at fedoraproject.org
Mon Aug 24 20:39:12 UTC 2009
- Previous message: [pkgdb] libertas-usb8388-firmware ownership updated
- Next message: rpms/grfcodec/devel compile.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 fedora-build.patch, 1.1, 1.2 grfcodec.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28629
Modified Files:
Tag: private-fedora-11-2_6_29_6
kernel.spec
Added Files:
Tag: private-fedora-11-2_6_29_6
mm_for_maps-shift-down_read-to-the-caller.patch
mm_for_maps-simplify-use-ptrace_may_access.patch
mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch
Log Message:
Fix CVE-2009-2691: local information disclosure in /proc
mm_for_maps-shift-down_read-to-the-caller.patch:
base.c | 8 +++-----
task_mmu.c | 1 +
task_nommu.c | 1 +
3 files changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE mm_for_maps-shift-down_read-to-the-caller.patch ---
>From 00f89d218523b9bf6b522349c039d5ac80aa536d Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg at redhat.com>
Date: Fri, 10 Jul 2009 03:27:38 +0200
Subject: mm_for_maps: shift down_read(mmap_sem) to the caller
From: Oleg Nesterov <oleg at redhat.com>
commit 00f89d218523b9bf6b522349c039d5ac80aa536d upstream.
mm_for_maps() takes ->mmap_sem after security checks, this looks
strange and obfuscates the locking rules. Move this lock to its
single caller, m_start().
Signed-off-by: Oleg Nesterov <oleg at redhat.com>
Acked-by: Serge Hallyn <serue at us.ibm.com>
Signed-off-by: James Morris <jmorris at namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
fs/proc/base.c | 8 +++-----
fs/proc/task_mmu.c | 1 +
fs/proc/task_nommu.c | 1 +
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -235,9 +235,8 @@ static int check_mem_permission(struct t
struct mm_struct *mm_for_maps(struct task_struct *task)
{
struct mm_struct *mm = get_task_mm(task);
- if (!mm)
- return NULL;
- if (mm != current->mm) {
+
+ if (mm && mm != current->mm) {
/*
* task->mm can be changed before security check,
* in that case we must notice the change after.
@@ -245,10 +244,9 @@ struct mm_struct *mm_for_maps(struct tas
if (!ptrace_may_access(task, PTRACE_MODE_READ) ||
mm != task->mm) {
mmput(mm);
- return NULL;
+ mm = NULL;
}
}
- down_read(&mm->mmap_sem);
return mm;
}
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m,
mm = mm_for_maps(priv->task);
if (!mm)
return NULL;
+ down_read(&mm->mmap_sem);
tail_vma = get_gate_vma(priv->task);
priv->tail_vma = tail_vma;
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -189,6 +189,7 @@ static void *m_start(struct seq_file *m,
priv->task = NULL;
return NULL;
}
+ down_read(&mm->mmap_sem);
/* start from the Nth VMA */
for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))
mm_for_maps-simplify-use-ptrace_may_access.patch:
base.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
--- NEW FILE mm_for_maps-simplify-use-ptrace_may_access.patch ---
>From 13f0feafa6b8aead57a2a328e2fca6a5828bf286 Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg at redhat.com>
Date: Tue, 23 Jun 2009 21:25:32 +0200
Subject: mm_for_maps: simplify, use ptrace_may_access()
From: Oleg Nesterov <oleg at redhat.com>
commit 13f0feafa6b8aead57a2a328e2fca6a5828bf286 upstream.
It would be nice to kill __ptrace_may_access(). It requires task_lock(),
but this lock is only needed to read mm->flags in the middle.
Convert mm_for_maps() to use ptrace_may_access(), this also simplifies
the code a little bit.
Also, we do not need to take ->mmap_sem in advance. In fact I think
mm_for_maps() should not play with ->mmap_sem at all, the caller should
take this lock.
With or without this patch, without ->cred_guard_mutex held we can race
with exec() and get the new ->mm but check old creds.
Signed-off-by: Oleg Nesterov <oleg at redhat.com>
Reviewed-by: Serge Hallyn <serue at us.ibm.com>
Signed-off-by: James Morris <jmorris at namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
fs/proc/base.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -237,20 +237,19 @@ struct mm_struct *mm_for_maps(struct tas
struct mm_struct *mm = get_task_mm(task);
if (!mm)
return NULL;
+ if (mm != current->mm) {
+ /*
+ * task->mm can be changed before security check,
+ * in that case we must notice the change after.
+ */
+ if (!ptrace_may_access(task, PTRACE_MODE_READ) ||
+ mm != task->mm) {
+ mmput(mm);
+ return NULL;
+ }
+ }
down_read(&mm->mmap_sem);
- task_lock(task);
- if (task->mm != mm)
- goto out;
- if (task->mm != current->mm &&
- __ptrace_may_access(task, PTRACE_MODE_READ) < 0)
- goto out;
- task_unlock(task);
return mm;
-out:
- task_unlock(task);
- up_read(&mm->mmap_sem);
- mmput(mm);
- return NULL;
}
static int proc_pid_cmdline(struct task_struct *task, char * buffer)
mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch:
base.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- NEW FILE mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch ---
>From 704b836cbf19e885f8366bccb2e4b0474346c02d Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg at redhat.com>
Date: Fri, 10 Jul 2009 03:27:40 +0200
Subject: mm_for_maps: take ->cred_guard_mutex to fix the race with exec
From: Oleg Nesterov <oleg at redhat.com>
commit 704b836cbf19e885f8366bccb2e4b0474346c02d upstream.
The problem is minor, but without ->cred_guard_mutex held we can race
with exec() and get the new ->mm but check old creds.
Now we do not need to re-check task->mm after ptrace_may_access(), it
can't be changed to the new mm under us.
Strictly speaking, this also fixes another very minor problem. Unless
security check fails or the task exits mm_for_maps() should never
return NULL, the caller should get either old or new ->mm.
Signed-off-by: Oleg Nesterov <oleg at redhat.com>
Acked-by: Serge Hallyn <serue at us.ibm.com>
Signed-off-by: James Morris <jmorris at namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
fs/proc/base.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -234,19 +234,19 @@ static int check_mem_permission(struct t
struct mm_struct *mm_for_maps(struct task_struct *task)
{
- struct mm_struct *mm = get_task_mm(task);
+ struct mm_struct *mm;
- if (mm && mm != current->mm) {
- /*
- * task->mm can be changed before security check,
- * in that case we must notice the change after.
- */
- if (!ptrace_may_access(task, PTRACE_MODE_READ) ||
- mm != task->mm) {
- mmput(mm);
- mm = NULL;
- }
+ if (mutex_lock_killable(&task->cred_exec_mutex))
+ return NULL;
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+ !ptrace_may_access(task, PTRACE_MODE_READ)) {
+ mmput(mm);
+ mm = NULL;
}
+ mutex_unlock(&task->cred_exec_mutex);
+
return mm;
}
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1679.2.15
retrieving revision 1.1679.2.16
diff -u -p -r1.1679.2.15 -r1.1679.2.16
--- kernel.spec 21 Aug 2009 09:50:36 -0000 1.1679.2.15
+++ kernel.spec 24 Aug 2009 20:39:12 -0000 1.1679.2.16
@@ -832,7 +832,13 @@ Patch12030: md-avoid-dereferencing-NULL-
# CVE-2009-2847
Patch12040: do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
+# CVE-2009-2691
+Patch12050: mm_for_maps-simplify-use-ptrace_may_access.patch
+Patch12060: mm_for_maps-shift-down_read-to-the-caller.patch
+Patch12070: mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch
+
# make gcc stop optimizing away null pointer tests
+# (fixes similar bugs to CVE-2009-1897)
Patch13000: add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
%endif
@@ -1564,6 +1570,11 @@ ApplyPatch md-avoid-dereferencing-NULL-p
# CVE-2009-2847
ApplyPatch do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
+# CVE-2009-2691
+ApplyPatch mm_for_maps-simplify-use-ptrace_may_access.patch
+ApplyPatch mm_for_maps-shift-down_read-to-the-caller.patch
+ApplyPatch mm_for_maps-take-cred_guard_mutex-to-fix-the-race-with-exec.patch
+
# don't optimize out null pointer tests
ApplyPatch add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
@@ -2167,6 +2178,9 @@ fi
# and build.
%changelog
+* Mon Sep 24 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.29.6-217.2.16
+- Fix CVE-2009-2691: local information disclosure in /proc
+
* Fri Aug 21 2009 David Woodhouse <David.Woodhouse at intel.com>
- Fix b43 on iMac G5 (#514787)
- Previous message: [pkgdb] libertas-usb8388-firmware ownership updated
- Next message: rpms/grfcodec/devel compile.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 fedora-build.patch, 1.1, 1.2 grfcodec.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list