Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   report errors in /proc/*/*map* sanely (http://www.linux-archive.org/ubuntu-kernel-team/555092-report-errors-proc-map-sanely.html)

Andy Whitcroft 07-21-2011 01:13 PM
report errors in /proc/*/*map* sanely
 
From: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

(backported from commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7)
CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
fs/proc/base.c | 8 +++++---
fs/proc/task_mmu.c | 10 +++++-----
fs/proc/task_nommu.c | 6 +++---
3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 41b2428..4b7993d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -235,15 +235,17 @@ static int check_mem_permission(struct task_struct *task)
struct mm_struct *mm_for_maps(struct task_struct *task)
{
struct mm_struct *mm;
+ int err;

- if (mutex_lock_killable(&task->cred_guard_mutex))
- return NULL;
+ err = mutex_lock_killable(&task->cred_guard_mutex);
+ if (err)
+ return ERR_PTR(err);

mm = get_task_mm(task);
if (mm && mm != current->mm &&
!ptrace_may_access(task, PTRACE_MODE_READ)) {
mmput(mm);
- mm = NULL;
+ mm = ERR_PTR(-EACCES);
}
mutex_unlock(&task->cred_guard_mutex);

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 6e7b065..e62af9b 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -114,11 +114,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)

priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm)
- return NULL;
+ if (!mm || IS_ERR(mm))
+ return mm;
down_read(&mm->mmap_sem);

tail_vma = get_gate_vma(priv->task);
@@ -681,9 +681,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!task)
goto out;

- ret = -EACCES;
mm = mm_for_maps(task);
- if (!mm)
+ ret = PTR_ERR(mm);
+ if (!mm || IS_ERR(mm))
goto out_task;

ret = -EINVAL;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index 8f5c05d..522c1e1 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -181,13 +181,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
/* pin the task and mm whilst we play with them */
priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm) {
+ if (!mm || IS_ERR(mm)) {
put_task_struct(priv->task);
priv->task = NULL;
- return NULL;
+ return mm;
}
down_read(&mm->mmap_sem);

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Andy Whitcroft 07-21-2011 01:13 PM
report errors in /proc/*/*map* sanely
 
From: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

(backported from ec6fd8a4355cda81cd9f06bebc048e83eb514ac7)
CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
fs/proc/base.c | 8 +++++---
fs/proc/task_mmu.c | 10 +++++-----
fs/proc/task_nommu.c | 6 +++---
3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index e4b77ea..e60289b 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -224,15 +224,17 @@ static int check_mem_permission(struct task_struct *task)
struct mm_struct *mm_for_maps(struct task_struct *task)
{
struct mm_struct *mm;
+ int err;

- if (mutex_lock_killable(&task->cred_guard_mutex))
- return NULL;
+ err = mutex_lock_killable(&task->cred_guard_mutex);
+ if (err)
+ return ERR_PTR(err);

mm = get_task_mm(task);
if (mm && mm != current->mm &&
!ptrace_may_access(task, PTRACE_MODE_READ)) {
mmput(mm);
- mm = NULL;
+ mm = ERR_PTR(-EACCES);
}
mutex_unlock(&task->cred_guard_mutex);

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index e2292ca..22538b0 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -118,11 +118,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)

priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm)
- return NULL;
+ if (!mm || IS_ERR(mm))
+ return mm;
down_read(&mm->mmap_sem);

tail_vma = get_gate_vma(priv->task);
@@ -716,9 +716,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!task)
goto out;

- ret = -EACCES;
mm = mm_for_maps(task);
- if (!mm)
+ ret = PTR_ERR(mm);
+ if (!mm || IS_ERR(mm))
goto out_task;

ret = -EINVAL;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index cb6306e..3d6ced8 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -198,13 +198,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
/* pin the task and mm whilst we play with them */
priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm) {
+ if (!mm || IS_ERR(mm)) {
put_task_struct(priv->task);
priv->task = NULL;
- return NULL;
+ return mm;
}
down_read(&mm->mmap_sem);

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Andy Whitcroft 07-21-2011 01:13 PM
report errors in /proc/*/*map* sanely
 
From: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

(cherry picked from commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7)
CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
fs/proc/base.c | 8 +++++---
fs/proc/task_mmu.c | 10 +++++-----
fs/proc/task_nommu.c | 6 +++---
3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index a86bfd3..e406d56 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -225,15 +225,17 @@ static int check_mem_permission(struct task_struct *task)
struct mm_struct *mm_for_maps(struct task_struct *task)
{
struct mm_struct *mm;
+ int err;

- if (mutex_lock_killable(&task->signal->cred_guard_mutex))
- return NULL;
+ err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+ if (err)
+ return ERR_PTR(err);

mm = get_task_mm(task);
if (mm && mm != current->mm &&
!ptrace_may_access(task, PTRACE_MODE_READ)) {
mmput(mm);
- mm = NULL;
+ mm = ERR_PTR(-EACCES);
}
mutex_unlock(&task->signal->cred_guard_mutex);

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 3fe21d5..77e7bb9 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -119,11 +119,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)

priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm)
- return NULL;
+ if (!mm || IS_ERR(mm))
+ return mm;
down_read(&mm->mmap_sem);

tail_vma = get_gate_vma(priv->task);
@@ -730,9 +730,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!task)
goto out;

- ret = -EACCES;
mm = mm_for_maps(task);
- if (!mm)
+ ret = PTR_ERR(mm);
+ if (!mm || IS_ERR(mm))
goto out_task;

ret = -EINVAL;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index b535d3e..980de54 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -199,13 +199,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
/* pin the task and mm whilst we play with them */
priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
if (!priv->task)
- return NULL;
+ return ERR_PTR(-ESRCH);

mm = mm_for_maps(priv->task);
- if (!mm) {
+ if (!mm || IS_ERR(mm)) {
put_task_struct(priv->task);
priv->task = NULL;
- return NULL;
+ return mm;
}
down_read(&mm->mmap_sem);

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 01:21 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.