[CVE-2011-1593][Hardy][PATCH 2/2] proc: do proper range check on readdir offset, CVE-2011-1593
John Johansen
john.johansen at canonical.com
Thu May 19 00:19:30 UTC 2011
On 05/18/2011 02:16 PM, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
>
> CVE-2011-1593
>
> BugLink: https://bugs.launchpad.net/bugs/784727
>
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
>
> Rather than pass in some random truncated offset to the pid-related
> functions, check that the offset is in range up-front.
>
> This is just cleanup, the previous commit fixed the real problem.
>
> Cc: stable at kernel.org
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
> Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> fs/proc/base.c | 9 +++++++--
> 1 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 1898c49..a91dc82 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
> /* for the /proc/ directory itself, after non-process stuff has been done */
> int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
> {
> - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
> + unsigned int nr;
> + struct task_struct *reaper;
> struct tgid_iter iter;
> struct pid_namespace *ns;
>
> + if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
> + goto out_no_task;
> + nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> +
> + reaper = get_proc_task(filp->f_path.dentry->d_inode);
> if (!reaper)
> goto out_no_task;
>
More information about the kernel-team
mailing list