[kernel/f13/master] Fix CVE-2010-3079: ftrace NULL pointer dereference

Wed Sep 15 03:04:05 UTC 2010

commit fac9fd36ec2dfc02ca528ab5acbece5fedbf7b56
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Tue Sep 14 23:03:13 2010 -0400

    Fix CVE-2010-3079: ftrace NULL pointer dereference

 kernel.spec                                        |    9 ++++
 ...-do-not-allow-llseek-to-set_ftrace_filter.patch |   51 ++++++++++++++++++++
 2 files changed, 60 insertions(+), 0 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index 15b40a2..057bb36 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -805,6 +805,9 @@ Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch
 # CVE-2010-3080
 Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
 
+# CVE-2010-3079
+Patch12560: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1519,6 +1522,9 @@ ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
 # CVE-2010-3080
 ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
 
+# CVE-2010-3079
+ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2141,6 +2147,9 @@ fi
 
 %changelog
 * Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.34.7-57
+- Fix CVE-2010-3079: ftrace NULL pointer dereference
+
+* Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com>
 - Fix CVE-2010-3080: /dev/sequencer open failure is not handled correctly
 
 * Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com>
diff --git a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
new file mode 100644
index 0000000..4bbae71
--- /dev/null
+++ b/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
@@ -0,0 +1,51 @@
+From: Steven Rostedt <srostedt at redhat.com>
+Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
+Subject: tracing: Do not allow llseek to set_ftrace_filter
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
+
+tracing: Do not allow llseek to set_ftrace_filter
+
+Reading the file set_ftrace_filter does three things.
+
+1) shows whether or not filters are set for the function tracer
+2) shows what functions are set for the function tracer
+3) shows what triggers are set on any functions
+
+3 is independent from 1 and 2.
+
+The way this file currently works is that it is a state machine,
+and as you read it, it may change state. But this assumption breaks
+when you use lseek() on the file. The state machine gets out of sync
+and the t_show() may use the wrong pointer and cause a kernel oops.
+
+Luckily, this will only kill the app that does the lseek, but the app
+dies while holding a mutex. This prevents anyone else from using the
+set_ftrace_filter file (or any other function tracing file for that matter).
+
+A real fix for this is to rewrite the code, but that is too much for
+a -rc release or stable. This patch simply disables llseek on the
+set_ftrace_filter() file for now, and we can do the proper fix for the
+next major release.
+
+Reported-by: Robert Swiecki <swiecki at google.com>
+Cc: Chris Wright <chrisw at sous-sol.org>
+Cc: Tavis Ormandy <taviso at google.com>
+Cc: Eugene Teo <eugene at redhat.com>
+Cc: vendor-sec at lst.de
+Cc: <stable at kernel.org>
+Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
+---
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 7cb1f45..83a16e9 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
+ 	.open = ftrace_filter_open,
+ 	.read = seq_read,
+ 	.write = ftrace_filter_write,
+-	.llseek = ftrace_regex_lseek,
++	.llseek = no_llseek,
+ 	.release = ftrace_filter_release,
+ };
+ 
