rpms/kernel/F-12 fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch, NONE, 1.1.2.1 fix-flush_old_exec-setup_new_exec-split.patch, NONE, 1.1.2.1 powerpc-tif_abi_pending-bit-removal.patch, NONE, 1.1.2.1 sparc-tif_abi_pending-bit-removal.patch, NONE, 1.1.2.1 split-flush_old_exec-into-two-functions.patch, NONE, 1.1.2.1 x86-get-rid-of-the-insane-tif_abi_pending-bit.patch, NONE, 1.1.2.1 kernel.spec, 1.1960.2.5, 1.1960.2.6
Chuck Ebbert
cebbert at fedoraproject.org
Sun Feb 7 01:11:00 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26368
Modified Files:
Tag: private-fedora-12-2_6_31
kernel.spec
Added Files:
Tag: private-fedora-12-2_6_31
fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
fix-flush_old_exec-setup_new_exec-split.patch
powerpc-tif_abi_pending-bit-removal.patch
sparc-tif_abi_pending-bit-removal.patch
split-flush_old_exec-into-two-functions.patch
x86-get-rid-of-the-insane-tif_abi_pending-bit.patch
Log Message:
CVE-2010-0307 kernel: DoS on x86_64
fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch:
arch/blackfin/include/asm/page.h | 5 +++++
arch/frv/include/asm/page.h | 2 --
fs/binfmt_elf_fdpic.c | 13 +++++++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
--- NEW FILE fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch ---
>From 04e4f2b18c8de1389d1e00fef0f42a8099910daf Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier at gentoo.org>
Date: Wed, 6 Jan 2010 17:23:17 +0000
Subject: FDPIC: Respect PT_GNU_STACK exec protection markings when creating NOMMU stack
From: Mike Frysinger <vapier at gentoo.org>
[ backport to 2.6.31 ]
commit 04e4f2b18c8de1389d1e00fef0f42a8099910daf upstream.
The current code will load the stack size and protection markings, but
then only use the markings in the MMU code path. The NOMMU code path
always passes PROT_EXEC to the mmap() call. While this doesn't matter
to most people whilst the code is running, it will cause a pointless
icache flush when starting every FDPIC application. Typically this
icache flush will be of a region on the order of 128KB in size, or may
be the entire icache, depending on the facilities available on the CPU.
In the case where the arch default behaviour seems to be desired
(EXSTACK_DEFAULT), we probe VM_STACK_FLAGS for VM_EXEC to determine
whether we should be setting PROT_EXEC or not.
For arches that support an MPU (Memory Protection Unit - an MMU without
the virtual mapping capability), setting PROT_EXEC or not will make an
important difference.
It should be noted that this change also affects the executability of
the brk region, since ELF-FDPIC has that share with the stack. However,
this is probably irrelevant as NOMMU programs aren't likely to use the
brk region, preferring instead allocation via mmap().
Signed-off-by: Mike Frysinger <vapier at gentoo.org>
Signed-off-by: David Howells <dhowells at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
arch/blackfin/include/asm/page.h | 5 +++++
arch/frv/include/asm/page.h | 2 --
fs/binfmt_elf_fdpic.c | 13 +++++++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
--- a/arch/blackfin/include/asm/page.h Wed Jan 06 18:10:15 2010 -0800
+++ b/arch/blackfin/include/asm/page.h Wed Jan 06 18:16:02 2010 -0800
@@ -10,4 +10,9 @@
#include <asm-generic/page.h>
#define MAP_NR(addr) (((unsigned long)(addr)-PAGE_OFFSET) >> PAGE_SHIFT)
+#define VM_DATA_DEFAULT_FLAGS \
+ (VM_READ | VM_WRITE | \
+ ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
#endif
--- a/arch/frv/include/asm/page.h Wed Jan 06 18:10:15 2010 -0800
+++ b/arch/frv/include/asm/page.h Wed Jan 06 18:16:02 2010 -0800
@@ -63,12 +63,10 @@
#define virt_addr_valid(kaddr) pfn_valid(__pa(kaddr) >> PAGE_SHIFT)
-#ifdef CONFIG_MMU
#define VM_DATA_DEFAULT_FLAGS \
(VM_READ | VM_WRITE | \
((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
-#endif
#endif /* __ASSEMBLY__ */
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -171,6 +171,9 @@ static int load_elf_fdpic_binary(struct
#ifdef ELF_FDPIC_PLAT_INIT
unsigned long dynaddr;
#endif
+#ifndef CONFIG_MMU
+ unsigned long stack_prot;
+#endif
struct file *interpreter = NULL; /* to shut gcc up */
char *interpreter_name = NULL;
int executable_stack;
@@ -316,6 +319,8 @@ static int load_elf_fdpic_binary(struct
* defunct, deceased, etc. after this point we have to exit via
* error_kill */
set_personality(PER_LINUX_FDPIC);
+ if (elf_read_implies_exec(&exec_params.hdr, executable_stack))
+ current->personality |= READ_IMPLIES_EXEC;
set_binfmt(&elf_fdpic_format);
current->mm->start_code = 0;
@@ -377,9 +382,13 @@ static int load_elf_fdpic_binary(struct
if (stack_size < PAGE_SIZE * 2)
stack_size = PAGE_SIZE * 2;
+ stack_prot = PROT_READ | PROT_WRITE;
+ if (executable_stack == EXSTACK_ENABLE_X ||
+ (executable_stack == EXSTACK_DEFAULT && VM_STACK_FLAGS & VM_EXEC))
+ stack_prot |= PROT_EXEC;
+
down_write(¤t->mm->mmap_sem);
- current->mm->start_brk = do_mmap(NULL, 0, stack_size,
- PROT_READ | PROT_WRITE | PROT_EXEC,
+ current->mm->start_brk = do_mmap(NULL, 0, stack_size, stack_prot,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN,
0);
fix-flush_old_exec-setup_new_exec-split.patch:
exec.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE fix-flush_old_exec-setup_new_exec-split.patch ---
>From 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds at linux-foundation.org>
Date: Tue, 2 Feb 2010 12:37:44 -0800
Subject: Fix 'flush_old_exec()/setup_new_exec()' split
From: Linus Torvalds <torvalds at linux-foundation.org>
commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream.
Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
the function at the point of no return - ie right where there were no
more error cases to check. That made sense from a technical standpoint,
but when we then also combined it with the actual personality setting
going in between flush_old_exec() and setup_new_exec(), it needs to be a
bit more careful.
In particular, we need to make sure that we really flush the old
personality bits in the 'flush' stage, rather than later in the 'setup'
stage, since otherwise we might be flushing the _new_ personality state
that we're just setting up.
So this moves the flags and personality flushing (and 'flush_thread()',
which is the arch-specific function that generally resets lazy FP state
etc) of the old process into flush_old_exec(), so that it doesn't affect
any state that execve() is setting up for the new process environment.
This was reported by Michal Simek as breaking his Microblaze qemu
environment.
Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
Cc: Peter Anvin <hpa at zytor.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
fs/exec.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -951,6 +951,11 @@ int flush_old_exec(struct linux_binprm *
goto out;
bprm->mm = NULL; /* We're using it now */
+
+ current->flags &= ~PF_RANDOMIZE;
+ flush_thread();
+ current->personality &= ~bprm->per_clear;
+
return 0;
out:
@@ -987,9 +992,6 @@ void setup_new_exec(struct linux_binprm
tcomm[i] = '\0';
set_task_comm(current, tcomm);
- current->flags &= ~PF_RANDOMIZE;
- flush_thread();
-
/* Set the new mm task size. We have to do that late because it may
* depend on TIF_32BIT which is only updated in flush_thread() on
* some architectures like powerpc
@@ -1005,8 +1007,6 @@ void setup_new_exec(struct linux_binprm
set_dumpable(current->mm, suid_dumpable);
}
- current->personality &= ~bprm->per_clear;
-
/*
* Flush performance counters when crossing a
* security domain:
powerpc-tif_abi_pending-bit-removal.patch:
include/asm/elf.h | 8 ++------
include/asm/thread_info.h | 2 --
kernel/process.c | 12 ------------
3 files changed, 2 insertions(+), 20 deletions(-)
--- NEW FILE powerpc-tif_abi_pending-bit-removal.patch ---
From: Andreas Schwab <schwab at linux-m68k.org>
Date: Sat, 30 Jan 2010 10:20:59 +0000 (+0000)
Subject: powerpc: TIF_ABI_PENDING bit removal
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=94f28da8409c6059135e89ac64a0839993124155
powerpc: TIF_ABI_PENDING bit removal
Here are the powerpc bits to remove TIF_ABI_PENDING now that
set_personality() is called at the appropriate place in exec.
Signed-off-by: Andreas Schwab <schwab at linux-m68k.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
---
diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
index 17828ad..c376eda 100644
--- a/arch/powerpc/include/asm/elf.h
+++ b/arch/powerpc/include/asm/elf.h
@@ -235,14 +235,10 @@ typedef elf_vrregset_t elf_fpxregset_t;
#ifdef __powerpc64__
# define SET_PERSONALITY(ex) \
do { \
- unsigned long new_flags = 0; \
if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
- new_flags = _TIF_32BIT; \
- if ((current_thread_info()->flags & _TIF_32BIT) \
- != new_flags) \
- set_thread_flag(TIF_ABI_PENDING); \
+ set_thread_flag(TIF_32BIT); \
else \
- clear_thread_flag(TIF_ABI_PENDING); \
+ clear_thread_flag(TIF_32BIT); \
if (personality(current->personality) != PER_LINUX32) \
set_personality(PER_LINUX | \
(current->personality & (~PER_MASK))); \
diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
index c8b3292..aa9d383 100644
--- a/arch/powerpc/include/asm/thread_info.h
+++ b/arch/powerpc/include/asm/thread_info.h
@@ -111,7 +111,6 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_NOTIFY_RESUME 13 /* callback before returning to user */
#define TIF_FREEZE 14 /* Freezing for suspend */
#define TIF_RUNLATCH 15 /* Is the runlatch enabled? */
-#define TIF_ABI_PENDING 16 /* 32/64 bit switch needed */
/* as above, but as bit values */
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
@@ -129,7 +128,6 @@ static inline struct thread_info *current_thread_info(void)
#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
#define _TIF_FREEZE (1<<TIF_FREEZE)
#define _TIF_RUNLATCH (1<<TIF_RUNLATCH)
-#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
#define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index c930ac3..7b816da 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -554,18 +554,6 @@ void exit_thread(void)
void flush_thread(void)
{
-#ifdef CONFIG_PPC64
- struct thread_info *t = current_thread_info();
-
- if (test_ti_thread_flag(t, TIF_ABI_PENDING)) {
- clear_ti_thread_flag(t, TIF_ABI_PENDING);
- if (test_ti_thread_flag(t, TIF_32BIT))
- clear_ti_thread_flag(t, TIF_32BIT);
- else
- set_ti_thread_flag(t, TIF_32BIT);
- }
-#endif
-
discard_lazy_cpu_state();
if (current->thread.dabr) {
sparc-tif_abi_pending-bit-removal.patch:
include/asm/elf_64.h | 13 +++----------
include/asm/thread_info_64.h | 4 +---
kernel/process_64.c | 8 --------
3 files changed, 4 insertions(+), 21 deletions(-)
--- NEW FILE sparc-tif_abi_pending-bit-removal.patch ---
>From 94673e968cbcce07fa78dac4b0ae05d24b5816e1 Mon Sep 17 00:00:00 2001
From: David Miller <davem at davemloft.net>
Date: Thu, 28 Jan 2010 21:42:02 -0800
Subject: sparc: TIF_ABI_PENDING bit removal
From: David Miller <davem at davemloft.net>
commit 94673e968cbcce07fa78dac4b0ae05d24b5816e1 upstream.
Here are the sparc bits to remove TIF_ABI_PENDING now that
set_personality() is called at the appropriate place in exec.
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
arch/sparc/include/asm/elf_64.h | 13 +++----------
arch/sparc/include/asm/thread_info_64.h | 4 +---
arch/sparc/kernel/process_64.c | 8 --------
3 files changed, 4 insertions(+), 21 deletions(-)
--- a/arch/sparc/include/asm/elf_64.h
+++ b/arch/sparc/include/asm/elf_64.h
@@ -196,17 +196,10 @@ static inline unsigned int sparc64_elf_h
#define ELF_PLATFORM (NULL)
#define SET_PERSONALITY(ex) \
-do { unsigned long new_flags = current_thread_info()->flags; \
- new_flags &= _TIF_32BIT; \
- if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
- new_flags |= _TIF_32BIT; \
+do { if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
+ set_thread_flag(TIF_32BIT); \
else \
- new_flags &= ~_TIF_32BIT; \
- if ((current_thread_info()->flags & _TIF_32BIT) \
- != new_flags) \
- set_thread_flag(TIF_ABI_PENDING); \
- else \
- clear_thread_flag(TIF_ABI_PENDING); \
+ clear_thread_flag(TIF_32BIT); \
/* flush_thread will update pgd cache */ \
if (personality(current->personality) != PER_LINUX32) \
set_personality(PER_LINUX | \
--- a/arch/sparc/include/asm/thread_info_64.h
+++ b/arch/sparc/include/asm/thread_info_64.h
@@ -227,12 +227,11 @@ register struct thread_info *current_thr
/* flag bit 8 is available */
#define TIF_SECCOMP 9 /* secure computing */
#define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
-/* flag bit 11 is available */
/* NOTE: Thread flags >= 12 should be ones we have no interest
* in using in assembly, else we can't use the mask as
* an immediate value in instructions such as andcc.
*/
-#define TIF_ABI_PENDING 12
+/* flag bit 12 is available */
#define TIF_MEMDIE 13
#define TIF_POLLING_NRFLAG 14
#define TIF_FREEZE 15 /* is freezing for suspend */
@@ -246,7 +245,6 @@ register struct thread_info *current_thr
#define _TIF_32BIT (1<<TIF_32BIT)
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
-#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_FREEZE (1<<TIF_FREEZE)
--- a/arch/sparc/kernel/process_64.c
+++ b/arch/sparc/kernel/process_64.c
@@ -365,14 +365,6 @@ void flush_thread(void)
struct thread_info *t = current_thread_info();
struct mm_struct *mm;
- if (test_ti_thread_flag(t, TIF_ABI_PENDING)) {
- clear_ti_thread_flag(t, TIF_ABI_PENDING);
- if (test_ti_thread_flag(t, TIF_32BIT))
- clear_ti_thread_flag(t, TIF_32BIT);
- else
- set_ti_thread_flag(t, TIF_32BIT);
- }
-
mm = t->task->mm;
if (mm)
tsb_context_switch(mm);
split-flush_old_exec-into-two-functions.patch:
arch/sh/kernel/process_64.c | 2 +-
arch/x86/ia32/ia32_aout.c | 10 ++++++----
fs/binfmt_aout.c | 1 +
fs/binfmt_elf.c | 27 ++-------------------------
fs/binfmt_elf_fdpic.c | 3 +++
fs/binfmt_flat.c | 1 +
fs/binfmt_som.c | 1 +
fs/exec.c | 26 ++++++++++++++++----------
include/linux/binfmts.h | 1 +
include/linux/sched.h | 2 +-
10 files changed, 33 insertions(+), 41 deletions(-)
--- NEW FILE split-flush_old_exec-into-two-functions.patch ---
>From 221af7f87b97431e3ee21ce4b0e77d5411cf1549 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds at linux-foundation.org>
Date: Thu, 28 Jan 2010 22:14:42 -0800
Subject: Split 'flush_old_exec' into two functions
From: Linus Torvalds <torvalds at linux-foundation.org>
commit 221af7f87b97431e3ee21ce4b0e77d5411cf1549 upstream.
'flush_old_exec()' is the point of no return when doing an execve(), and
it is pretty badly misnamed. It doesn't just flush the old executable
environment, it also starts up the new one.
Which is very inconvenient for things like setting up the new
personality, because we want the new personality to affect the starting
of the new environment, but at the same time we do _not_ want the new
personality to take effect if flushing the old one fails.
As a result, the x86-64 '32-bit' personality is actually done using this
insane "I'm going to change the ABI, but I haven't done it yet" bit
(TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the
personality, but just the "pending" bit, so that "flush_thread()" can do
the actual personality magic.
This patch in no way changes any of that insanity, but it does split the
'flush_old_exec()' function up into a preparatory part that can fail
(still called flush_old_exec()), and a new part that will actually set
up the new exec environment (setup_new_exec()). All callers are changed
to trivially comply with the new world order.
Signed-off-by: H. Peter Anvin <hpa at zytor.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
arch/sh/kernel/process_64.c | 2 +-
arch/x86/ia32/ia32_aout.c | 10 ++++++----
fs/binfmt_aout.c | 1 +
fs/binfmt_elf.c | 27 ++-------------------------
fs/binfmt_elf_fdpic.c | 3 +++
fs/binfmt_flat.c | 1 +
fs/binfmt_som.c | 1 +
fs/exec.c | 26 ++++++++++++++++----------
include/linux/binfmts.h | 1 +
include/linux/sched.h | 2 +-
10 files changed, 33 insertions(+), 41 deletions(-)
--- a/arch/sh/kernel/process_64.c
+++ b/arch/sh/kernel/process_64.c
@@ -367,7 +367,7 @@ void exit_thread(void)
void flush_thread(void)
{
- /* Called by fs/exec.c (flush_old_exec) to remove traces of a
+ /* Called by fs/exec.c (setup_new_exec) to remove traces of a
* previously running executable. */
#ifdef CONFIG_SH_FPU
if (last_task_used_math == current) {
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -308,15 +308,17 @@ static int load_aout_binary(struct linux
if (retval)
return retval;
- regs->cs = __USER32_CS;
- regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 =
- regs->r13 = regs->r14 = regs->r15 = 0;
-
/* OK, This is the point of no return */
set_personality(PER_LINUX);
set_thread_flag(TIF_IA32);
clear_thread_flag(TIF_ABI_PENDING);
+ setup_new_exec(bprm);
+
+ regs->cs = __USER32_CS;
+ regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 =
+ regs->r13 = regs->r14 = regs->r15 = 0;
+
current->mm->end_code = ex.a_text +
(current->mm->start_code = N_TXTADDR(ex));
current->mm->end_data = ex.a_data +
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -263,6 +263,7 @@ static int load_aout_binary(struct linux
#else
set_personality(PER_LINUX);
#endif
+ setup_new_exec(bprm);
current->mm->end_code = ex.a_text +
(current->mm->start_code = N_TXTADDR(ex));
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -662,27 +662,6 @@ static int load_elf_binary(struct linux_
if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
goto out_free_interp;
- /*
- * The early SET_PERSONALITY here is so that the lookup
- * for the interpreter happens in the namespace of the
- * to-be-execed image. SET_PERSONALITY can select an
- * alternate root.
- *
- * However, SET_PERSONALITY is NOT allowed to switch
- * this task into the new images's memory mapping
- * policy - that is, TASK_SIZE must still evaluate to
- * that which is appropriate to the execing application.
- * This is because exit_mmap() needs to have TASK_SIZE
- * evaluate to the size of the old image.
- *
- * So if (say) a 64-bit application is execing a 32-bit
- * application it is the architecture's responsibility
- * to defer changing the value of TASK_SIZE until the
- * switch really is going to happen - do this in
- * flush_thread(). - akpm
- */
- SET_PERSONALITY(loc->elf_ex);
-
interpreter = open_exec(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
@@ -730,9 +709,6 @@ static int load_elf_binary(struct linux_
/* Verify the interpreter has a valid arch */
if (!elf_check_arch(&loc->interp_elf_ex))
goto out_free_dentry;
- } else {
- /* Executables without an interpreter also need a personality */
- SET_PERSONALITY(loc->elf_ex);
}
/* Flush all traces of the currently running executable */
@@ -752,7 +728,8 @@ static int load_elf_binary(struct linux_
if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
current->flags |= PF_RANDOMIZE;
- arch_pick_mmap_layout(current->mm);
+
+ setup_new_exec(bprm);
/* Do this so that we can load the interpreter, if need be. We will
change some of these later */
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -321,6 +321,9 @@ static int load_elf_fdpic_binary(struct
set_personality(PER_LINUX_FDPIC);
if (elf_read_implies_exec(&exec_params.hdr, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
+
+ setup_new_exec(bprm);
+
set_binfmt(&elf_fdpic_format);
current->mm->start_code = 0;
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -519,6 +519,7 @@ static int load_flat_file(struct linux_b
/* OK, This is the point of no return */
set_personality(PER_LINUX_32BIT);
+ setup_new_exec(bprm);
}
/*
--- a/fs/binfmt_som.c
+++ b/fs/binfmt_som.c
@@ -227,6 +227,7 @@ load_som_binary(struct linux_binprm * bp
/* OK, This is the point of no return */
current->flags &= ~PF_FORKNOEXEC;
current->personality = PER_HPUX;
+ setup_new_exec(bprm);
/* Set the task size for HP-UX processes such that
* the gateway page is outside the address space.
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -931,9 +931,7 @@ void set_task_comm(struct task_struct *t
int flush_old_exec(struct linux_binprm * bprm)
{
- char * name;
- int i, ch, retval;
- char tcomm[sizeof(current->comm)];
+ int retval;
/*
* Make sure we have a private signal table and that
@@ -953,6 +951,20 @@ int flush_old_exec(struct linux_binprm *
goto out;
bprm->mm = NULL; /* We're using it now */
+ return 0;
+
+out:
+ return retval;
+}
+EXPORT_SYMBOL(flush_old_exec);
+
+void setup_new_exec(struct linux_binprm * bprm)
+{
+ int i, ch;
+ char * name;
+ char tcomm[sizeof(current->comm)];
+
+ arch_pick_mmap_layout(current->mm);
/* This is the point of no return */
current->sas_ss_sp = current->sas_ss_size = 0;
@@ -1009,14 +1021,8 @@ int flush_old_exec(struct linux_binprm *
flush_signal_handlers(current, 0);
flush_old_files(current->files);
-
- return 0;
-
-out:
- return retval;
}
-
-EXPORT_SYMBOL(flush_old_exec);
+EXPORT_SYMBOL(setup_new_exec);
/*
* Prepare credentials and lock ->cred_guard_mutex.
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -101,6 +101,7 @@ extern int prepare_binprm(struct linux_b
extern int __must_check remove_arg_zero(struct linux_binprm *);
extern int search_binary_handler(struct linux_binprm *,struct pt_regs *);
extern int flush_old_exec(struct linux_binprm * bprm);
+extern void setup_new_exec(struct linux_binprm * bprm);
extern int suid_dumpable;
#define SUID_DUMP_DISABLE 0 /* No setuid dumping */
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1354,7 +1354,7 @@ struct task_struct {
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
- - initialized normally by flush_old_exec */
+ - initialized normally by setup_new_exec */
/* file system info */
int link_count, total_link_count;
#ifdef CONFIG_SYSVIPC
x86-get-rid-of-the-insane-tif_abi_pending-bit.patch:
ia32/ia32_aout.c | 1 -
include/asm/elf.h | 10 ++--------
include/asm/thread_info.h | 2 --
kernel/process.c | 12 ------------
kernel/process_64.c | 11 +++++++++++
5 files changed, 13 insertions(+), 23 deletions(-)
--- NEW FILE x86-get-rid-of-the-insane-tif_abi_pending-bit.patch ---
>From 05d43ed8a89c159ff641d472f970e3f1baa66318 Mon Sep 17 00:00:00 2001
From: H. Peter Anvin <hpa at zytor.com>
Date: Thu, 28 Jan 2010 22:14:43 -0800
Subject: x86: get rid of the insane TIF_ABI_PENDING bit
From: H. Peter Anvin <hpa at zytor.com>
commit 05d43ed8a89c159ff641d472f970e3f1baa66318 upstream.
Now that the previous commit made it possible to do the personality
setting at the point of no return, we do just that for ELF binaries.
And suddenly all the reasons for that insane TIF_ABI_PENDING bit go
away, and we can just make SET_PERSONALITY() just do the obvious thing
for a 32-bit compat process.
Everything becomes much more straightforward this way.
Signed-off-by: H. Peter Anvin <hpa at zytor.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
arch/x86/ia32/ia32_aout.c | 1 -
arch/x86/include/asm/elf.h | 10 ++--------
arch/x86/include/asm/thread_info.h | 2 --
arch/x86/kernel/process.c | 12 ------------
arch/x86/kernel/process_64.c | 11 +++++++++++
5 files changed, 13 insertions(+), 23 deletions(-)
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -311,7 +311,6 @@ static int load_aout_binary(struct linux
/* OK, This is the point of no return */
set_personality(PER_LINUX);
set_thread_flag(TIF_IA32);
- clear_thread_flag(TIF_ABI_PENDING);
setup_new_exec(bprm);
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -197,14 +197,8 @@ do { \
set_fs(USER_DS); \
} while (0)
-#define COMPAT_SET_PERSONALITY(ex) \
-do { \
- if (test_thread_flag(TIF_IA32)) \
- clear_thread_flag(TIF_ABI_PENDING); \
- else \
- set_thread_flag(TIF_ABI_PENDING); \
- current->personality |= force_personality32; \
-} while (0)
+void set_personality_ia32(void);
+#define COMPAT_SET_PERSONALITY(ex) set_personality_ia32()
#define COMPAT_ELF_PLATFORM ("i686")
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -86,7 +86,6 @@ struct thread_info {
#define TIF_NOTSC 16 /* TSC is not accessible in userland */
#define TIF_IA32 17 /* 32bit process */
#define TIF_FORK 18 /* ret_from_fork */
-#define TIF_ABI_PENDING 19
#define TIF_MEMDIE 20
#define TIF_DEBUG 21 /* uses debug registers */
#define TIF_IO_BITMAP 22 /* uses I/O bitmap */
@@ -110,7 +109,6 @@ struct thread_info {
#define _TIF_NOTSC (1 << TIF_NOTSC)
#define _TIF_IA32 (1 << TIF_IA32)
#define _TIF_FORK (1 << TIF_FORK)
-#define _TIF_ABI_PENDING (1 << TIF_ABI_PENDING)
#define _TIF_DEBUG (1 << TIF_DEBUG)
#define _TIF_IO_BITMAP (1 << TIF_IO_BITMAP)
#define _TIF_FREEZE (1 << TIF_FREEZE)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -540,6 +540,17 @@ sys_clone(unsigned long clone_flags, uns
return do_fork(clone_flags, newsp, regs, 0, parent_tid, child_tid);
}
+void set_personality_ia32(void)
+{
+ /* inherit personality from parent */
+
+ /* Make sure to be in 32bit mode */
+ set_thread_flag(TIF_IA32);
+
+ /* Prepare the first "return" to user space */
+ current_thread_info()->status |= TS_COMPAT;
+}
+
unsigned long get_wchan(struct task_struct *p)
{
unsigned long stack;
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -91,18 +91,6 @@ void flush_thread(void)
{
struct task_struct *tsk = current;
-#ifdef CONFIG_X86_64
- if (test_tsk_thread_flag(tsk, TIF_ABI_PENDING)) {
- clear_tsk_thread_flag(tsk, TIF_ABI_PENDING);
- if (test_tsk_thread_flag(tsk, TIF_IA32)) {
- clear_tsk_thread_flag(tsk, TIF_IA32);
- } else {
- set_tsk_thread_flag(tsk, TIF_IA32);
- current_thread_info()->status |= TS_COMPAT;
- }
- }
-#endif
-
clear_tsk_thread_flag(tsk, TIF_DEBUG);
tsk->thread.debugreg0 = 0;
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1960.2.5
retrieving revision 1.1960.2.6
diff -u -p -r1.1960.2.5 -r1.1960.2.6
--- kernel.spec 3 Feb 2010 21:12:33 -0000 1.1960.2.5
+++ kernel.spec 7 Feb 2010 01:11:00 -0000 1.1960.2.6
@@ -802,6 +802,14 @@ Patch14463: dlm-fix-connection-close-han
Patch14464: fix-conntrack-bug-with-namespaces.patch
Patch14465: prevent-runtime-conntrack-changes.patch
+# cve-2010-0307
+Patch16530: split-flush_old_exec-into-two-functions.patch
+# needed for followon patches
+Patch16531: fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
+Patch16532: fix-flush_old_exec-setup_new_exec-split.patch
+Patch16533: sparc-tif_abi_pending-bit-removal.patch
+Patch16534: x86-get-rid-of-the-insane-tif_abi_pending-bit.patch
+Patch16535: powerpc-tif_abi_pending-bit-removal.patch
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1496,6 +1504,14 @@ ApplyPatch dlm-fix-connection-close-hand
ApplyPatch fix-conntrack-bug-with-namespaces.patch
ApplyPatch prevent-runtime-conntrack-changes.patch
+# cve-2010-0307
+ApplyPatch fdpic-respect-pt_gnu_stack-exec-protection-markings-when-creating-nommu-stack.patch
+ApplyPatch split-flush_old_exec-into-two-functions.patch
+ApplyPatch fix-flush_old_exec-setup_new_exec-split.patch
+ApplyPatch sparc-tif_abi_pending-bit-removal.patch
+ApplyPatch x86-get-rid-of-the-insane-tif_abi_pending-bit.patch
+ApplyPatch powerpc-tif_abi_pending-bit-removal.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2145,6 +2161,9 @@ fi
# and build.
%changelog
+* Sat Feb 06 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.31.12-174.2.6
+- CVE-2010-0307 kernel: DoS on x86_64
+
* Wed Feb 03 2010 Kyle McMartin <kyle at redhat.com>
- prevent-runtime-conntrack-changes.patch: fix another conntrack bug
identified by jcm.
More information about the scm-commits
mailing list