[PATCH 0/6] [hardy] CVE-2011-1082
Paolo Pisati
paolo.pisati at canonical.com
Wed Oct 26 15:25:59 UTC 2011
CVE-2011-1082:
fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors
within other epoll data structures without properly checking for (1) closed
loops or (2) deep chains, which allows local users to cause a denial of
service (deadlock or stack memory consumption) via a crafted application that
makes epoll_create and epoll_ctl system calls.
The following patchset is composed of:
-patch 6: the real fix that has already hit all the other releases
-patch 3: a prerequisite for patch 6
-patches 1,2,4,5: not strictly necessary, but eased the porting of patch 3
and 6
Patches 1,2,4 and 5 are cherry-picks from upstream, while 3 and 6 had
modifications so review them carefully. Moreover patch 3 (originally) was
full of whitespace errors (spaces instead of tabs&c) and git spits out a
lot of errors wjen applying: a subsequent patch that fixes these syntactic
errors was later issued (296e236e96dddef351a1809c0d414bcddfcf3800) but since
it would require modifications itself to be applied to our tree, i fixed
these whitespace errors in our patch.
Embedded in the commit msg of patch 6 there's a proof-of-concept code to test
the effectiveness of the fix:
without the fix, the program exits cleanly (and thus let us create a circular
structure), while with the fix applied, the program exits with an error:
"epoll_ctl_failed: Too many levels of symbolic links"
and fails to create a circular structure.
Davide Libenzi (5):
epoll: drop unnecessary test
epoll: avoid double-inserts in case of EFAULT
epoll: fix epoll's own poll
epoll: fix nested calls support
epoll: prevent creating circular epoll structures CVE-2011-1082
Tony Battersby (1):
epoll: don't use current in irq context
fs/eventpoll.c | 562 ++++++++++++++++++++++++++++++++++++++------------------
1 files changed, 381 insertions(+), 181 deletions(-)
--
1.7.5.4
More information about the kernel-team
mailing list