From 417df6e083cceae976427c7d1dc0b4dea553c39e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 2 Aug 2011 15:08:32 -0700 Subject: [PATCH] some more .39 patches --- .../alpha-fix-several-security-issues.patch | 91 +++++++++++++++++++ ...ll-doesn-t-mean-the-memory-was-freed.patch | 50 ++++++++++ .../proc-restrict-access-to-proc-pid-io.patch | 56 ++++++++++++ review-2.6.39/series | 3 + 4 files changed, 200 insertions(+) create mode 100644 review-2.6.39/alpha-fix-several-security-issues.patch create mode 100644 review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch create mode 100644 review-2.6.39/proc-restrict-access-to-proc-pid-io.patch diff --git a/review-2.6.39/alpha-fix-several-security-issues.patch b/review-2.6.39/alpha-fix-several-security-issues.patch new file mode 100644 index 00000000000..5c07342364c --- /dev/null +++ b/review-2.6.39/alpha-fix-several-security-issues.patch @@ -0,0 +1,91 @@ +From 21c5977a836e399fc710ff2c5367845ed5c2527f Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 15 Jun 2011 15:09:01 -0700 +Subject: alpha: fix several security issues + +From: Dan Rosenberg + +commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream. + +Fix several security issues in Alpha-specific syscalls. Untested, but +mostly trivial. + +1. Signedness issue in osf_getdomainname allows copying out-of-bounds +kernel memory to userland. + +2. Signedness issue in osf_sysinfo allows copying large amounts of +kernel memory to userland. + +3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy +size, allowing copying large amounts of kernel memory to userland. + +4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows +privilege escalation via writing return value of sys_wait4 to kernel +memory. + +Signed-off-by: Dan Rosenberg +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: Matt Turner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char + return -EFAULT; + + len = namelen; +- if (namelen > 32) ++ if (len > 32) + len = 32; + + down_read(&uts_sem); +@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + down_read(&uts_sem); + res = sysinfo_table[offset]; + len = strlen(res)+1; +- if (len > count) ++ if ((unsigned long)len > (unsigned long)count) + len = count; + if (copy_to_user(buf, res, len)) + err = -EFAULT; +@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned + return 1; + + case GSI_GET_HWRPB: +- if (nbytes < sizeof(*hwrpb)) ++ if (nbytes > sizeof(*hwrpb)) + return -EINVAL; + if (copy_to_user(buffer, hwrpb, nbytes) != 0) + return -EFAULT; +@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + { + struct rusage r; + long ret, err; ++ unsigned int status = 0; + mm_segment_t old_fs; + + if (!ur) +@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + old_fs = get_fs(); + + set_fs (KERNEL_DS); +- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ++ ret = sys_wait4(pid, (unsigned int __user *) &status, options, ++ (struct rusage __user *) &r); + set_fs (old_fs); + + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + + err = 0; ++ err |= put_user(status, ustatus); + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); diff --git a/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch b/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch new file mode 100644 index 00000000000..016baf57842 --- /dev/null +++ b/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch @@ -0,0 +1,50 @@ +From c027a474a68065391c8773f6e83ed5412657e369 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Sat, 30 Jul 2011 16:35:02 +0200 +Subject: oom: task->mm == NULL doesn't mean the memory was freed + +From: Oleg Nesterov + +commit c027a474a68065391c8773f6e83ed5412657e369 upstream. + +exit_mm() sets ->mm == NULL then it does mmput()->exit_mmap() which +frees the memory. + +However select_bad_process() checks ->mm != NULL before TIF_MEMDIE, +so it continues to kill other tasks even if we have the oom-killed +task freeing its memory. + +Change select_bad_process() to check ->mm after TIF_MEMDIE, but skip +the tasks which have already passed exit_notify() to ensure a zombie +with TIF_MEMDIE set can't block oom-killer. Alternatively we could +probably clear TIF_MEMDIE after exit_mmap(). + +Signed-off-by: Oleg Nesterov +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/oom_kill.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -285,7 +285,7 @@ static struct task_struct *select_bad_pr + do_each_thread(g, p) { + unsigned int points; + +- if (!p->mm) ++ if (p->exit_state) + continue; + if (oom_unkillable_task(p, mem, nodemask)) + continue; +@@ -301,6 +301,8 @@ static struct task_struct *select_bad_pr + */ + if (test_tsk_thread_flag(p, TIF_MEMDIE)) + return ERR_PTR(-1UL); ++ if (!p->mm) ++ continue; + + if (p->flags & PF_EXITING) { + /* diff --git a/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch b/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch new file mode 100644 index 00000000000..6e8dedfb18c --- /dev/null +++ b/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch @@ -0,0 +1,56 @@ +From 1d1221f375c94ef961ba8574ac4f85c8870ddd51 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Fri, 24 Jun 2011 16:08:38 +0400 +Subject: proc: restrict access to /proc/PID/io + +From: Vasiliy Kulikov + +commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream. + +/proc/PID/io may be used for gathering private information. E.g. for +openssh and vsftpd daemons wchars/rchars may be used to learn the +precise password length. Restrict it to processes being able to ptrace +the target process. + +ptrace_may_access() is needed to prevent keeping open file descriptor of +"io" file, executing setuid binary and gathering io information of the +setuid'ed process. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2762,6 +2762,9 @@ static int do_io_accounting(struct task_ + struct task_io_accounting acct = task->ioac; + unsigned long flags; + ++ if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ return -EACCES; ++ + if (whole && lock_task_sighand(task, &flags)) { + struct task_struct *t = task; + +@@ -2892,7 +2895,7 @@ static const struct pid_entry tgid_base_ + REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tgid_io_accounting), ++ INF("io", S_IRUSR, proc_tgid_io_accounting), + #endif + }; + +@@ -3230,7 +3233,7 @@ static const struct pid_entry tid_base_s + REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tid_io_accounting), ++ INF("io", S_IRUSR, proc_tid_io_accounting), + #endif + }; + diff --git a/review-2.6.39/series b/review-2.6.39/series index 6bb4232b19b..85348598183 100644 --- a/review-2.6.39/series +++ b/review-2.6.39/series @@ -69,3 +69,6 @@ cifs-lower-default-and-max-wsize-to-what-2.6.39-can-handle.patch bridge-send-proper-message_age-in-config-bpdu.patch gro-only-reset-frag0-when-skb-can-be-pulled.patch fs-cache-fix-__fscache_uncache_all_inode_pages-s-outer.patch +oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch +proc-restrict-access-to-proc-pid-io.patch +alpha-fix-several-security-issues.patch -- 2.47.3