[CVE-2011-1020] fix races on various /proc files
apw at canonical.com
Thu Jul 21 13:13:30 UTC 2011
The proc filesystem implementation in the Linux kernel 2.6.37 and
earlier does not restrict access to the /proc directory tree of a
process after this process performs an exec of a setuid program,
which allows local users to obtain sensitive information or cause
a denial of service via open, lseek, read, and write system calls.
These have been fixed in oneiric via mainline. Following this email are
patch sets as below:
1) hardy -- of the five origin commits two apply to /proc files which have
yet to be creaed on hardy. The other three are simple additional checks
against ptrace as the exec locking is not yet present. This patch
represents the biggest backport and deserves most scrutiny.
2) lucid,lucid/fsl-imx51 -- two of the patches are simple cherry-picks,
the rest required mindor porting.
3) maverick,maverick/ti-omap4 -- mostly simple cherry-picks, with some
modifications to follow locking naming changes.
4) natty,natty/ti-omap4 -- mostly simple cherry-picks, the last patch
did require minor porting due to a printk format change.
All other branches are derivative of one of these.
I have built and booted kernels against master for all affected releases
(this covers all of the patch sets). I tested before and after with the
PoC from the original report and the hole seems closed:
Proposing for hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4,
natty, and natty/ti-omap4.
More information about the kernel-team