Patchwork [CVE-2011-1593,Hardy,2/2] proc: do proper range check on readdir offset, CVE-2011-1593

login
register
mail settings
Submitter Herton Ronaldo Krzesinski
Date May 18, 2011, 9:16 p.m.
Message ID <1305753408-6848-3-git-send-email-herton.krzesinski@canonical.com>
Download mbox | patch
Permalink /patch/96250/
State New
Headers show

Comments

Herton Ronaldo Krzesinski - May 18, 2011, 9:16 p.m.
From: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2011-1593

BugLink: https://bugs.launchpad.net/bugs/784727

Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
2.6.35.13, 2.6.38.4

Rather than pass in some random truncated offset to the pid-related
functions, check that the offset is in range up-front.

This is just cleanup, the previous commit fixed the real problem.

Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
---
 fs/proc/base.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)
Brad Figg - May 18, 2011, 10:12 p.m.
On 05/18/2011 02:16 PM, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds<torvalds@linux-foundation.org>
>
> CVE-2011-1593
>
> BugLink: https://bugs.launchpad.net/bugs/784727
>
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
>
> Rather than pass in some random truncated offset to the pid-related
> functions, check that the offset is in range up-front.
>
> This is just cleanup, the previous commit fixed the real problem.
>
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
> (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
> Signed-off-by: Herton Ronaldo Krzesinski<herton.krzesinski@canonical.com>
> ---
>   fs/proc/base.c |    9 +++++++--
>   1 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 1898c49..a91dc82 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
>   /* for the /proc/ directory itself, after non-process stuff has been done */
>   int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
>   {
> -	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> -	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
> +	unsigned int nr;
> +	struct task_struct *reaper;
>   	struct tgid_iter iter;
>   	struct pid_namespace *ns;
>
> +	if (filp->f_pos>= PID_MAX_LIMIT + TGID_OFFSET)
> +		goto out_no_task;
> +	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> +
> +	reaper = get_proc_task(filp->f_path.dentry->d_inode);
>   	if (!reaper)
>   		goto out_no_task;
>

Acked-by: Brad Figg <brad.figg@canonical.com>
John Johansen - May 19, 2011, 12:19 a.m.
On 05/18/2011 02:16 PM, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds <torvalds@linux-foundation.org>
> 
> CVE-2011-1593
> 
> BugLink: https://bugs.launchpad.net/bugs/784727
> 
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
> 
> Rather than pass in some random truncated offset to the pid-related
> functions, check that the offset is in range up-front.
> 
> This is just cleanup, the previous commit fixed the real problem.
> 
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
> Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>

Acked-by: John Johansen <john.johansen@canonical.com>


> ---
>  fs/proc/base.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 1898c49..a91dc82 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
>  /* for the /proc/ directory itself, after non-process stuff has been done */
>  int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
>  {
> -	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> -	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
> +	unsigned int nr;
> +	struct task_struct *reaper;
>  	struct tgid_iter iter;
>  	struct pid_namespace *ns;
>  
> +	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
> +		goto out_no_task;
> +	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> +
> +	reaper = get_proc_task(filp->f_path.dentry->d_inode);
>  	if (!reaper)
>  		goto out_no_task;
>
Steve Conklin - May 24, 2011, 9:31 p.m.
Applied

On Wed, 2011-05-18 at 18:16 -0300, Herton Ronaldo Krzesinski wrote:
> From: Linus Torvalds <torvalds@linux-foundation.org>
> 
> CVE-2011-1593
> 
> BugLink: https://bugs.launchpad.net/bugs/784727
> 
> Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
> 2.6.35.13, 2.6.38.4
> 
> Rather than pass in some random truncated offset to the pid-related
> functions, check that the offset is in range up-front.
> 
> This is just cleanup, the previous commit fixed the real problem.
> 
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
> Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
> ---
>  fs/proc/base.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 1898c49..a91dc82 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
>  /* for the /proc/ directory itself, after non-process stuff has been done */
>  int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
>  {
> -	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> -	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
> +	unsigned int nr;
> +	struct task_struct *reaper;
>  	struct tgid_iter iter;
>  	struct pid_namespace *ns;
>  
> +	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
> +		goto out_no_task;
> +	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
> +
> +	reaper = get_proc_task(filp->f_path.dentry->d_inode);
>  	if (!reaper)
>  		goto out_no_task;
>  
> -- 
> 1.7.0.4
> 
>

Patch

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 1898c49..a91dc82 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2560,11 +2560,16 @@  static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
 /* for the /proc/ directory itself, after non-process stuff has been done */
 int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
 {
-	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+	unsigned int nr;
+	struct task_struct *reaper;
 	struct tgid_iter iter;
 	struct pid_namespace *ns;
 
+	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
+		goto out_no_task;
+	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+
+	reaper = get_proc_task(filp->f_path.dentry->d_inode);
 	if (!reaper)
 		goto out_no_task;