[ACK] [CVE-2011-1020] fix races on various /proc files
stefan.bader at canonical.com
Thu Jul 21 14:09:19 UTC 2011
On 21.07.2011 15:13, Andy Whitcroft wrote:
> The proc filesystem implementation in the Linux kernel 2.6.37 and
> earlier does not restrict access to the /proc directory tree of a
> process after this process performs an exec of a setuid program,
> which allows local users to obtain sensitive information or cause
> a denial of service via open, lseek, read, and write system calls.
> These have been fixed in oneiric via mainline. Following this email are
> patch sets as below:
> 1) hardy -- of the five origin commits two apply to /proc files which have
> yet to be creaed on hardy. The other three are simple additional checks
> against ptrace as the exec locking is not yet present. This patch
> represents the biggest backport and deserves most scrutiny.
> 2) lucid,lucid/fsl-imx51 -- two of the patches are simple cherry-picks,
> the rest required mindor porting.
> 3) maverick,maverick/ti-omap4 -- mostly simple cherry-picks, with some
> modifications to follow locking naming changes.
> 4) natty,natty/ti-omap4 -- mostly simple cherry-picks, the last patch
> did require minor porting due to a printk format change.
> All other branches are derivative of one of these.
> I have built and booted kernels against master for all affected releases
> (this covers all of the patch sets). I tested before and after with the
> PoC from the original report and the hole seems closed:
> Proposing for hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4,
> natty, and natty/ti-omap4.
Agreeably there may exist a tiny window where the check does not catch things on
Hardy. But I think it is really tiny. And much better than not to check at all
or trying to get all that locking back there...
Acked-by: Stefan Bader <stefan.bader at canonical.com>
More information about the kernel-team