[ACK] [CVE-2011-1020] fix races on various /proc files

Stefan Bader stefan.bader at canonical.com
Thu Jul 21 14:09:19 UTC 2011

On 21.07.2011 15:13, Andy Whitcroft wrote:
> CVE-2011-1020
> 	The proc filesystem implementation in the Linux kernel 2.6.37 and
> 	earlier does not restrict access to the /proc directory tree of a
> 	process after this process performs an exec of a setuid program,
> 	which allows local users to obtain sensitive information or cause
> 	a denial of service via open, lseek, read, and write system calls.
> These have been fixed in oneiric via mainline.  Following this email are
> patch sets as below:
> 1) hardy -- of the five origin commits two apply to /proc files which have
>    yet to be creaed on hardy.  The other three are simple additional checks
>    against ptrace as the exec locking is not yet present.  This patch
>    represents the biggest backport and deserves most scrutiny.
> 2) lucid,lucid/fsl-imx51 -- two of the patches are simple cherry-picks,
>    the rest required mindor porting.
> 3) maverick,maverick/ti-omap4 -- mostly simple cherry-picks, with some
>    modifications to follow locking naming changes.
> 4) natty,natty/ti-omap4 -- mostly simple cherry-picks, the last patch
>    did require minor porting due to a printk format change.
> All other branches are derivative of one of these.
> I have built and booted kernels against master for all affected releases
> (this covers all of the patch sets).  I tested before and after with the
> PoC from the original report and the hole seems closed:
>     https://lkml.org/lkml/2011/2/7/368
> Proposing for hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4,
> natty, and natty/ti-omap4.
> -apw
Agreeably there may exist a tiny window where the check does not catch things on
Hardy. But I think it is really tiny. And much better than not to check at all
or trying to get all that locking back there...

Acked-by: Stefan Bader <stefan.bader at canonical.com>

More information about the kernel-team mailing list