[arch-commits] Commit in linux-lts/trunk (CVE-2012-0056.patch PKGBUILD)
Pierre Schmitz
pierre at archlinux.org
Mon Jan 23 13:13:39 UTC 2012
Date: Monday, January 23, 2012 @ 08:13:39
Author: pierre
Revision: 147148
fix CVE-2012-0056
Added:
linux-lts/trunk/CVE-2012-0056.patch
Modified:
linux-lts/trunk/PKGBUILD
---------------------+
CVE-2012-0056.patch | 268 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 12 +-
2 files changed, 277 insertions(+), 3 deletions(-)
Added: CVE-2012-0056.patch
===================================================================
--- CVE-2012-0056.patch (rev 0)
+++ CVE-2012-0056.patch 2012-01-23 13:13:39 UTC (rev 147148)
@@ -0,0 +1,268 @@
+From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 17 Jan 2012 15:21:19 -0800
+Subject: [PATCH] proc: clean up and fix /proc/<pid>/mem handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
+robust, and it also doesn't match the permission checking of any of the
+other related files.
+
+This changes it to do the permission checks at open time, and instead of
+tracking the process, it tracks the VM at the time of the open. That
+simplifies the code a lot, but does mean that if you hold the file
+descriptor open over an execve(), you'll continue to read from the _old_
+VM.
+
+That is different from our previous behavior, but much simpler. If
+somebody actually finds a load where this matters, we'll need to revert
+this commit.
+
+I suspect that nobody will ever notice - because the process mapping
+addresses will also have changed as part of the execve. So you cannot
+actually usefully access the fd across a VM change simply because all
+the offsets for IO would have changed too.
+
+Reported-by: Jüri Aedla <asd at ut.ee>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/proc/base.c | 145 +++++++++++++++-----------------------------------------
+ 1 files changed, 39 insertions(+), 106 deletions(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 5485a53..662ddf2 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -198,65 +198,7 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
+ return result;
+ }
+
+-static struct mm_struct *__check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+-
+- mm = get_task_mm(task);
+- if (!mm)
+- return ERR_PTR(-EINVAL);
+-
+- /*
+- * A task can always look at itself, in case it chooses
+- * to use system calls instead of load instructions.
+- */
+- if (task == current)
+- return mm;
+-
+- /*
+- * If current is actively ptrace'ing, and would also be
+- * permitted to freshly attach with ptrace now, permit it.
+- */
+- if (task_is_stopped_or_traced(task)) {
+- int match;
+- rcu_read_lock();
+- match = (ptrace_parent(task) == current);
+- rcu_read_unlock();
+- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
+- return mm;
+- }
+-
+- /*
+- * No one else is allowed.
+- */
+- mmput(mm);
+- return ERR_PTR(-EPERM);
+-}
+-
+-/*
+- * If current may access user memory in @task return a reference to the
+- * corresponding mm, otherwise ERR_PTR.
+- */
+-static struct mm_struct *check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+- int err;
+-
+- /*
+- * Avoid racing if task exec's as we might get a new mm but validate
+- * against old credentials.
+- */
+- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+- if (err)
+- return ERR_PTR(err);
+-
+- mm = __check_mem_permission(task);
+- mutex_unlock(&task->signal->cred_guard_mutex);
+-
+- return mm;
+-}
+-
+-struct mm_struct *mm_for_maps(struct task_struct *task)
++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ {
+ struct mm_struct *mm;
+ int err;
+@@ -267,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+- !ptrace_may_access(task, PTRACE_MODE_READ)) {
++ !ptrace_may_access(task, mode)) {
+ mmput(mm);
+ mm = ERR_PTR(-EACCES);
+ }
+@@ -276,6 +218,11 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ return mm;
+ }
+
++struct mm_struct *mm_for_maps(struct task_struct *task)
++{
++ return mm_access(task, PTRACE_MODE_READ);
++}
++
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+ {
+ int res = 0;
+@@ -752,38 +699,39 @@ static const struct file_operations proc_single_file_operations = {
+
+ static int mem_open(struct inode* inode, struct file* file)
+ {
+- file->private_data = (void*)((long)current->self_exec_id);
++ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ struct mm_struct *mm;
++
++ if (!task)
++ return -ESRCH;
++
++ mm = mm_access(task, PTRACE_MODE_ATTACH);
++ put_task_struct(task);
++
++ if (IS_ERR(mm))
++ return PTR_ERR(mm);
++
+ /* OK to pass negative loff_t, we can catch out-of-range */
+ file->f_mode |= FMODE_UNSIGNED_OFFSET;
++ file->private_data = mm;
++
+ return 0;
+ }
+
+ static ssize_t mem_read(struct file * file, char __user * buf,
+ size_t count, loff_t *ppos)
+ {
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ int ret;
+ char *page;
+ unsigned long src = *ppos;
+- int ret = -ESRCH;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out;
+-
+- mm = check_mem_permission(task);
+- ret = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- ret = -EIO;
+-
+- if (file->private_data != (void*)((long)current->self_exec_id))
+- goto out_put;
++ return -ENOMEM;
+
+ ret = 0;
+
+@@ -810,13 +758,7 @@ static ssize_t mem_read(struct file * file, char __user * buf,
+ }
+ *ppos = src;
+
+-out_put:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out:
+- put_task_struct(task);
+-out_no_task:
+ return ret;
+ }
+
+@@ -825,27 +767,15 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
+ {
+ int copied;
+ char *page;
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+ unsigned long dst = *ppos;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- copied = -ESRCH;
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- copied = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out_task;
+-
+- mm = check_mem_permission(task);
+- copied = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- copied = -EIO;
+- if (file->private_data != (void *)((long)current->self_exec_id))
+- goto out_mm;
++ return -ENOMEM;
+
+ copied = 0;
+ while (count > 0) {
+@@ -869,13 +799,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
+ }
+ *ppos = dst;
+
+-out_mm:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out_task:
+- put_task_struct(task);
+-out_no_task:
+ return copied;
+ }
+
+@@ -895,11 +819,20 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
+ return file->f_pos;
+ }
+
++static int mem_release(struct inode *inode, struct file *file)
++{
++ struct mm_struct *mm = file->private_data;
++
++ mmput(mm);
++ return 0;
++}
++
+ static const struct file_operations proc_mem_operations = {
+ .llseek = mem_lseek,
+ .read = mem_read,
+ .write = mem_write,
+ .open = mem_open,
++ .release = mem_release,
+ };
+
+ static ssize_t environ_read(struct file *file, char __user *buf,
+--
+1.7.6.5
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2012-01-23 13:10:32 UTC (rev 147147)
+++ PKGBUILD 2012-01-23 13:13:39 UTC (rev 147148)
@@ -8,7 +8,7 @@
_kernelname=${pkgname#linux}
_basekernel=3.0
pkgver=${_basekernel}.17
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
url="http://www.kernel.org/"
license=('GPL2')
@@ -21,14 +21,16 @@
# standard config files for mkinitcpio ramdisk
"${pkgname}.preset"
'change-default-console-loglevel.patch'
- 'i915-fix-ghost-tv-output.patch')
+ 'i915-fix-ghost-tv-output.patch'
+ 'CVE-2012-0056.patch')
md5sums=('ecf932280e2441bdd992423ef3d55f8f'
'e86da20888dfcd19b94f5d518329ca25'
'516780158b2dcf6791edc062674a1e7a'
'5fee953e4746c31eb7ce8890ce2d24de'
'21a33df5fba2da2f56e447fb171f02c0'
'9d3c56a4b999c8bfbd4018089a62f662'
- '263725f20c0b9eb9c353040792d644e5')
+ '263725f20c0b9eb9c353040792d644e5'
+ 'a050d76e56d2ce0715c8ff663ae7f436')
build() {
cd "${srcdir}/linux-${_basekernel}"
@@ -36,6 +38,10 @@
# add upstream patch
patch -p1 -i "${srcdir}/patch-${pkgver}"
+ # patch for CVE-2012-0056
+ # see http://blog.zx2c4.com/749 for details
+ patch -p1 -i "${srcdir}/CVE-2012-0056.patch"
+
# add latest fixes from stable queue, if needed
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
More information about the arch-commits
mailing list