FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team
Reload this Page APPLIED: close races in /proc/*/{environ, auxv}, CVE-2011-1020

 
 
LinkBack Thread Tools
 
Old 07-21-2011, 05:50 PM
Tim Gardner
 
Default APPLIED: close races in /proc/*/{environ, auxv}, CVE-2011-1020
On 07/21/2011 06:13 AM, Andy Whitcroft wrote:

Equivalent to:
commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7
commit d6f64b89d7ff22ce05896ab4a93a653e8d0b123d
commit 2fadaef41283aad7100fa73f01998cddaca25833

Note that the locking is looser than that in upstream this may leaves
a small window which may be exploitable, that said the locks which are
used to ensure there is no window are not in existance back in hardy.
Indeed the races in exec which they are introduced to fix are also present.

CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft<apw@canonical.com>
---
fs/proc/base.c | 25 ++++++++++++++++++++-----
1 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 338097a..a68a4ba 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -222,6 +222,24 @@ out:
return NULL;
}

+struct mm_struct *mm_for_maps2(struct task_struct *task)
+{
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ return NULL;
+ task_lock(task);
+ if (task->mm != mm)
+ goto out;
+ if (task->mm != current->mm&& __ptrace_may_attach(task)< 0)
+ goto out;
+ task_unlock(task);
+ return mm;
+out:
+ task_unlock(task);
+ mmput(mm);
+ return NULL;
+}
+
static int proc_pid_cmdline(struct task_struct *task, char * buffer)
{
int res = 0;
@@ -262,7 +280,7 @@ out:
static int proc_pid_auxv(struct task_struct *task, char *buffer)
{
int res = 0;
- struct mm_struct *mm = get_task_mm(task);
+ struct mm_struct *mm = mm_for_maps2(task);
if (mm) {
unsigned int nwords = 0;
do
@@ -827,9 +845,6 @@ static ssize_t environ_read(struct file *file, char __user *buf,
if (!task)
goto out_no_task;

- if (!ptrace_may_attach(task))
- goto out;
-
ret = -ENOMEM;
page = (char *)__get_free_page(GFP_TEMPORARY);
if (!page)
@@ -837,7 +852,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,

ret = 0;

- mm = get_task_mm(task);
+ mm = mm_for_maps2(task);
if (!mm)
goto out_free;




--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 07:05 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -