[APPLIED][CVE-2011-1593][Hardy][PATCH 1/2] next_pidmap: fix overflow condition, CVE-2011-1593

Steve Conklin sconklin at canonical.com
Tue May 24 21:30:47 UTC 2011 

Applied

On Wed, 2011-05-18 at 18:16 -0300, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
> 
> CVE-2011-1593
> 
> BugLink: https://bugs.launchpad.net/bugs/784727
> 
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
> 
> next_pidmap() just quietly accepted whatever 'last' pid that was passed
> in, which is not all that safe when one of the users is /proc.
> 
> Admittedly the proc code should do some sanity checking on the range
> (and that will be the next commit), but that doesn't mean that the
> helper functions should just do that pidmap pointer arithmetic without
> checking the range of its arguments.
> 
> So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
> doesn't really matter, the for-loop does check against the end of the
> pidmap array properly (it's only the actual pointer arithmetic overflow
> case we need to worry about, and going one bit beyond isn't going to
> overflow).
> 
> [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
> 
> Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
> Analyzed-by: Robert Święcki <robert at swiecki.net>
> Cc: Eric W. Biederman <ebiederm at xmission.com>
> Cc: Pavel Emelyanov <xemul at openvz.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported from commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream)
> Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
> ---
>  .../openvz/patchset/0001-2.6.24-ovz002.patch       |    2 +-
>  kernel/pid.c                                       |    5 ++++-
>  2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> index 729b278..6a8a613 100644
> --- a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> +++ b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch
> @@ -62556,7 +62556,7 @@ Index: kernel/kernel/pid.c
>  +	return pid;
>  +}
>  +
> - static int next_pidmap(struct pid_namespace *pid_ns, int last)
> + static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
>   {
>   	int offset;
>  @@ -198,6 +231,7 @@
> diff --git a/kernel/pid.c b/kernel/pid.c
> index f815455..29f0ac0 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -181,11 +181,14 @@ static int alloc_pidmap(struct pid_namespace *pid_ns)
>  	return -1;
>  }
>  
> -static int next_pidmap(struct pid_namespace *pid_ns, int last)
> +static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
>  {
>  	int offset;
>  	struct pidmap *map, *end;
>  
> +	if (last >= PID_MAX_LIMIT)
> +		return -1;
> +
>  	offset = (last + 1) & BITS_PER_PAGE_MASK;
>  	map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
>  	end = &pid_ns->pidmap[PIDMAP_ENTRIES];
> -- 
> 1.7.0.4
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20110524/adb9e8d7/attachment.sig>

More information about the kernel-team mailing list