rpms/kernel/F-11 fix-flush_old_exec-setup_new_exec-split.patch, NONE, 1.1.2.1 fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch, 1.1.2.1, 1.1.2.2 kernel.spec, 1.1784.2.11, 1.1784.2.12

Chuck Ebbert cebbert at fedoraproject.org
Tue Feb 2 23:23:27 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17343

Modified Files:
      Tag: private-fedora-11-2_6_30
	fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch 
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_30
	fix-flush_old_exec-setup_new_exec-split.patch 
Log Message:
Fix the CVE-2010-0307 fix.

fix-flush_old_exec-setup_new_exec-split.patch:
 exec.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- NEW FILE fix-flush_old_exec-setup_new_exec-split.patch ---
From: Linus Torvalds <torvalds at linux-foundation.org>
Date: Tue, 2 Feb 2010 20:37:44 +0000 (-0800)
Subject: Fix 'flush_old_exec()/setup_new_exec()' split
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d

Fix 'flush_old_exec()/setup_new_exec()' split

[ backport to 2.6.30 ]

Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
the function at the point of no return - ie right where there were no
more error cases to check.  That made sense from a technical standpoint,
but when we then also combined it with the actual personality setting
going in between flush_old_exec() and setup_new_exec(), it needs to be a
bit more careful.

In particular, we need to make sure that we really flush the old
personality bits in the 'flush' stage, rather than later in the 'setup'
stage, since otherwise we might be flushing the _new_ personality state
that we're just setting up.

So this moves the flags and personality flushing (and 'flush_thread()',
which is the arch-specific function that generally resets lazy FP state
etc) of the old process into flush_old_exec(), so that it doesn't affect
any state that execve() is setting up for the new process environment.

This was reported by Michal Simek as breaking his Microblaze qemu
environment.

Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
Cc: Peter Anvin <hpa at zytor.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---

diff --git a/fs/exec.c b/fs/exec.c
index 675c3f4..0790a10 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -961,6 +961,11 @@ int flush_old_exec(struct linux_binprm * bprm)
 		goto out;
 
 	bprm->mm = NULL;		/* We're using it now */
+
+	current->flags &= ~PF_RANDOMIZE;
+	flush_thread();
+	current->personality &= ~bprm->per_clear;
+
 	return 0;
 
 out:
@@ -997,9 +1002,6 @@ void setup_new_exec(struct linux_binprm * bprm)
 	tcomm[i] = '\0';
 	set_task_comm(current, tcomm);
 
-	current->flags &= ~PF_RANDOMIZE;
-	flush_thread();
-
 	/* Set the new mm task size. We have to do that late because it may
 	 * depend on TIF_32BIT which is only updated in flush_thread() on
 	 * some architectures like powerpc
@@ -1015,8 +1017,6 @@ void setup_new_exec(struct linux_binprm * bprm)
 		set_dumpable(current->mm, suid_dumpable);
 	}
 
-	current->personality &= ~bprm->per_clear;
-
 	/* An exec changes our domain. We are no longer part of the thread
 	   group */
 

fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch:
 arch/blackfin/include/asm/page.h |    5 +++++
 arch/frv/include/asm/page.h      |    2 --
 fs/binfmt_elf_fdpic.c            |   13 +++++++++++--
 3 files changed, 16 insertions(+), 4 deletions(-)

Index: fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/Attic/fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -p -r1.1.2.1 -r1.1.2.2
--- fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch	2 Feb 2010 22:35:55 -0000	1.1.2.1
+++ fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch	2 Feb 2010 23:23:26 -0000	1.1.2.2
@@ -7,6 +7,8 @@ From: Mike Frysinger <vapier at gentoo.org>
 
 commit 04e4f2b18c8de1389d1e00fef0f42a8099910daf upstream.
 
+[ backport to 2.6.30 ]
+
 The current code will load the stack size and protection markings, but
 then only use the markings in the MMU code path.  The NOMMU code path
 always passes PROT_EXEC to the mmap() call.  While this doesn't matter


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.11
retrieving revision 1.1784.2.12
diff -u -p -r1.1784.2.11 -r1.1784.2.12
--- kernel.spec	2 Feb 2010 22:35:56 -0000	1.1784.2.11
+++ kernel.spec	2 Feb 2010 23:23:26 -0000	1.1784.2.12
@@ -878,6 +878,7 @@ Patch16516: fnctl-f_modown-should-call-w
 # cve-2010-0307
 Patch16530: split-flush_old_exec-into-two-functions.patch
 Patch16531: fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
+Patch16532: fix-flush_old_exec-setup_new_exec-split.patch
 
 %endif
 
@@ -1652,6 +1653,7 @@ ApplyPatch fnctl-f_modown-should-call-wr
 # cve-2010-0307
 ApplyPatch fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
 ApplyPatch split-flush_old_exec-into-two-functions.patch
+ApplyPatch fix-flush_old_exec-setup_new_exec-split.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2241,6 +2243,9 @@ fi
 # and build.
 
 %changelog
+* Tue Feb 02 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.12
+- Fix the CVE-2010-0307 fix.
+
 * Tue Feb 02 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.11
 - CVE-2010-0307 kernel: DoS on x86_64

More information about the scm-commits mailing list