[PATCH 0/6] [hardy] CVE-2011-1082

Paolo Pisati paolo.pisati at canonical.com
Wed Oct 26 15:25:59 UTC 2011


CVE-2011-1082:
	fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors
	within other epoll data structures without properly checking for (1) closed
	loops or (2) deep chains, which allows local users to cause a denial of
	service (deadlock or stack memory consumption) via a crafted application that
	makes epoll_create and epoll_ctl system calls.

The following patchset is composed of:

-patch 6: the real fix that has already hit all the other releases
-patch 3: a prerequisite for patch 6
-patches 1,2,4,5: not strictly necessary, but eased the porting of patch 3
 and 6

Patches 1,2,4 and 5 are cherry-picks from upstream, while 3 and 6 had
modifications so review them carefully. Moreover patch 3 (originally) was
full of whitespace errors (spaces instead of tabs&c) and git spits out a
lot of errors wjen applying: a subsequent patch that fixes these syntactic
errors was later issued (296e236e96dddef351a1809c0d414bcddfcf3800) but since
it would require modifications itself to be applied to our tree, i fixed
these whitespace errors in our patch.

Embedded in the commit msg of patch 6 there's a proof-of-concept code to test
the effectiveness of the fix:

without the fix, the program exits cleanly (and thus let us create a circular
structure), while with the fix applied, the program exits with an error:

"epoll_ctl_failed: Too many levels of symbolic links"

and fails to create a circular structure.

Davide Libenzi (5):
  epoll: drop unnecessary test
  epoll: avoid double-inserts in case of EFAULT
  epoll: fix epoll's own poll
  epoll: fix nested calls support
  epoll: prevent creating circular epoll structures CVE-2011-1082

Tony Battersby (1):
  epoll: don't use current in irq context

 fs/eventpoll.c |  562 ++++++++++++++++++++++++++++++++++++++------------------
 1 files changed, 381 insertions(+), 181 deletions(-)

-- 
1.7.5.4





More information about the kernel-team mailing list