FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 05-24-2011, 09:30 PM
Steve Conklin
 
Default next_pidmap: fix overflow condition, CVE-2011-1593

Applied

On Wed, 2011-05-18 at 18:16 -0300, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds <torvalds@linux-foundation.org>
>
> CVE-2011-1593
>
> BugLink: https://bugs.launchpad.net/bugs/784727
>
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
>
> next_pidmap() just quietly accepted whatever 'last' pid that was passed
> in, which is not all that safe when one of the users is /proc.
>
> Admittedly the proc code should do some sanity checking on the range
> (and that will be the next commit), but that doesn't mean that the
> helper functions should just do that pidmap pointer arithmetic without
> checking the range of its arguments.
>
> So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
> doesn't really matter, the for-loop does check against the end of the
> pidmap array properly (it's only the actual pointer arithmetic overflow
> case we need to worry about, and going one bit beyond isn't going to
> overflow).
>
> [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
>
> Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
> Analyzed-by: Robert Święcki <robert@swiecki.net>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Pavel Emelyanov <xemul@openvz.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (backported from commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream)
> Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
> ---
> .../openvz/patchset/0001-2.6.24-ovz002.patch | 2 +-
> kernel/pid.c | 5 ++++-
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> index 729b278..6a8a613 100644
> --- a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> +++ b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> @@ -62556,7 +62556,7 @@ Index: kernel/kernel/pid.c
> + return pid;
> +}
> +
> - static int next_pidmap(struct pid_namespace *pid_ns, int last)
> + static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
> {
> int offset;
> @@ -198,6 +231,7 @@
> diff --git a/kernel/pid.c b/kernel/pid.c
> index f815455..29f0ac0 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -181,11 +181,14 @@ static int alloc_pidmap(struct pid_namespace *pid_ns)
> return -1;
> }
>
> -static int next_pidmap(struct pid_namespace *pid_ns, int last)
> +static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
> {
> int offset;
> struct pidmap *map, *end;
>
> + if (last >= PID_MAX_LIMIT)
> + return -1;
> +
> offset = (last + 1) & BITS_PER_PAGE_MASK;
> map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
> end = &pid_ns->pidmap[PIDMAP_ENTRIES];
> --
> 1.7.0.4
>
>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 04:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org