ACK: [PATCH 0/6] [hardy] CVE-2011-1082

Stefan Bader stefan.bader at canonical.com
Fri Oct 28 08:45:17 UTC 2011 

On 26.10.2011 17:25, Paolo Pisati wrote:
> CVE-2011-1082:
> 	fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors
> 	within other epoll data structures without properly checking for (1) closed
> 	loops or (2) deep chains, which allows local users to cause a denial of
> 	service (deadlock or stack memory consumption) via a crafted application that
> 	makes epoll_create and epoll_ctl system calls.
> 
> The following patchset is composed of:
> 
> -patch 6: the real fix that has already hit all the other releases
> -patch 3: a prerequisite for patch 6
> -patches 1,2,4,5: not strictly necessary, but eased the porting of patch 3
>  and 6
> 
> Patches 1,2,4 and 5 are cherry-picks from upstream, while 3 and 6 had
> modifications so review them carefully. Moreover patch 3 (originally) was
> full of whitespace errors (spaces instead of tabs&c) and git spits out a
> lot of errors wjen applying: a subsequent patch that fixes these syntactic
> errors was later issued (296e236e96dddef351a1809c0d414bcddfcf3800) but since
> it would require modifications itself to be applied to our tree, i fixed
> these whitespace errors in our patch.
> 
> Embedded in the commit msg of patch 6 there's a proof-of-concept code to test
> the effectiveness of the fix:
> 
> without the fix, the program exits cleanly (and thus let us create a circular
> structure), while with the fix applied, the program exits with an error:
> 
> "epoll_ctl_failed: Too many levels of symbolic links"
> 
> and fails to create a circular structure.
> 
> Davide Libenzi (5):
>   epoll: drop unnecessary test
>   epoll: avoid double-inserts in case of EFAULT
>   epoll: fix epoll's own poll
>   epoll: fix nested calls support
>   epoll: prevent creating circular epoll structures CVE-2011-1082
> 
> Tony Battersby (1):
>   epoll: don't use current in irq context
> 
>  fs/eventpoll.c |  562 ++++++++++++++++++++++++++++++++++++++------------------
>  1 files changed, 381 insertions(+), 181 deletions(-)
> 
After discussing this, I think the set looks ok (just need to add BugLink and
CVE tag to all of the patches when applying)

Acked-by: Stefan Bader <smb at canonical.com>

More information about the kernel-team mailing list