From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 21 Aug 2007 04:40:01 +0000 (-0700)
Subject: 2.6.22.4 release
X-Git-Tag: v2.6.22.4^0
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b8a3876a479ca93da1dab60426ec2585cae39c2e;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.22.4 release
---

diff --git a/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch
new file mode 100644
index 00000000000..d17a61e719a
--- /dev/null
+++ b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch
@@ -0,0 +1,49 @@
+From d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 17 Aug 2007 21:47:58 +0200
+Subject: Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -890,9 +890,12 @@ int flush_old_exec(struct linux_binprm *
+ 	 */
+ 	current->mm->task_size = TASK_SIZE;
+ 
+-	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
+-	    file_permission(bprm->file, MAY_READ) ||
+-	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
++		suid_keys(current);
++		current->mm->dumpable = suid_dumpable;
++		current->pdeath_signal = 0;
++	} else if (file_permission(bprm->file, MAY_READ) ||
++			(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ 		suid_keys(current);
+ 		current->mm->dumpable = suid_dumpable;
+ 	}
+@@ -983,8 +986,10 @@ void compute_creds(struct linux_binprm *
+ {
+ 	int unsafe;
+ 
+-	if (bprm->e_uid != current->uid)
++	if (bprm->e_uid != current->uid) {
+ 		suid_keys(current);
++		current->pdeath_signal = 0;
++	}
+ 	exec_keys(current);
+ 
+ 	task_lock(current);
diff --git a/releases/2.6.22.4/series b/releases/2.6.22.4/series
new file mode 100644
index 00000000000..32f78caf0bf
--- /dev/null
+++ b/releases/2.6.22.4/series
@@ -0,0 +1 @@
+reset-current-pdeath_signal-on-suid-binary-execution.patch