[CVE-2011-1020] fix races on various /proc files

Andy Whitcroft apw at canonical.com
Thu Jul 21 13:13:30 UTC 2011

	The proc filesystem implementation in the Linux kernel 2.6.37 and
	earlier does not restrict access to the /proc directory tree of a
	process after this process performs an exec of a setuid program,
	which allows local users to obtain sensitive information or cause
	a denial of service via open, lseek, read, and write system calls.

These have been fixed in oneiric via mainline.  Following this email are
patch sets as below:

1) hardy -- of the five origin commits two apply to /proc files which have
   yet to be creaed on hardy.  The other three are simple additional checks
   against ptrace as the exec locking is not yet present.  This patch
   represents the biggest backport and deserves most scrutiny.

2) lucid,lucid/fsl-imx51 -- two of the patches are simple cherry-picks,
   the rest required mindor porting.

3) maverick,maverick/ti-omap4 -- mostly simple cherry-picks, with some
   modifications to follow locking naming changes.

4) natty,natty/ti-omap4 -- mostly simple cherry-picks, the last patch
   did require minor porting due to a printk format change.

All other branches are derivative of one of these.

I have built and booted kernels against master for all affected releases
(this covers all of the patch sets).  I tested before and after with the
PoC from the original report and the hole seems closed:


Proposing for hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4,
natty, and natty/ti-omap4.


More information about the kernel-team mailing list