| Message ID | 1305753408-6848-3-git-send-email-herton.krzesinski@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 05/18/2011 02:16 PM, Herton Ronaldo Krzesinski wrote: > From: Linus Torvalds<torvalds@linux-foundation.org> > > CVE-2011-1593 > > BugLink: https://bugs.launchpad.net/bugs/784727 > > Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12, > 2.6.35.13, 2.6.38.4 > > Rather than pass in some random truncated offset to the pid-related > functions, check that the offset is in range up-front. > > This is just cleanup, the previous commit fixed the real problem. > > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream) > Signed-off-by: Herton Ronaldo Krzesinski<herton.krzesinski@canonical.com> > --- > fs/proc/base.c | 9 +++++++-- > 1 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 1898c49..a91dc82 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi > /* for the /proc/ directory itself, after non-process stuff has been done */ > int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) > { > - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; > - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); > + unsigned int nr; > + struct task_struct *reaper; > struct tgid_iter iter; > struct pid_namespace *ns; > > + if (filp->f_pos>= PID_MAX_LIMIT + TGID_OFFSET) > + goto out_no_task; > + nr = filp->f_pos - FIRST_PROCESS_ENTRY; > + > + reaper = get_proc_task(filp->f_path.dentry->d_inode); > if (!reaper) > goto out_no_task; > Acked-by: Brad Figg <brad.figg@canonical.com>
On 05/18/2011 02:16 PM, Herton Ronaldo Krzesinski wrote: > From: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2011-1593 > > BugLink: https://bugs.launchpad.net/bugs/784727 > > Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12, > 2.6.35.13, 2.6.38.4 > > Rather than pass in some random truncated offset to the pid-related > functions, check that the offset is in range up-front. > > This is just cleanup, the previous commit fixed the real problem. > > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream) > Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> > --- > fs/proc/base.c | 9 +++++++-- > 1 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 1898c49..a91dc82 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi > /* for the /proc/ directory itself, after non-process stuff has been done */ > int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) > { > - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; > - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); > + unsigned int nr; > + struct task_struct *reaper; > struct tgid_iter iter; > struct pid_namespace *ns; > > + if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) > + goto out_no_task; > + nr = filp->f_pos - FIRST_PROCESS_ENTRY; > + > + reaper = get_proc_task(filp->f_path.dentry->d_inode); > if (!reaper) > goto out_no_task; >
Applied On Wed, 2011-05-18 at 18:16 -0300, Herton Ronaldo Krzesinski wrote: > From: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2011-1593 > > BugLink: https://bugs.launchpad.net/bugs/784727 > > Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12, > 2.6.35.13, 2.6.38.4 > > Rather than pass in some random truncated offset to the pid-related > functions, check that the offset is in range up-front. > > This is just cleanup, the previous commit fixed the real problem. > > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream) > Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com> > --- > fs/proc/base.c | 9 +++++++-- > 1 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 1898c49..a91dc82 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi > /* for the /proc/ directory itself, after non-process stuff has been done */ > int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) > { > - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; > - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); > + unsigned int nr; > + struct task_struct *reaper; > struct tgid_iter iter; > struct pid_namespace *ns; > > + if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) > + goto out_no_task; > + nr = filp->f_pos - FIRST_PROCESS_ENTRY; > + > + reaper = get_proc_task(filp->f_path.dentry->d_inode); > if (!reaper) > goto out_no_task; > > -- > 1.7.0.4 > >
diff --git a/fs/proc/base.c b/fs/proc/base.c index 1898c49..a91dc82 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi /* for the /proc/ directory itself, after non-process stuff has been done */ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); + unsigned int nr; + struct task_struct *reaper; struct tgid_iter iter; struct pid_namespace *ns; + if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) + goto out_no_task; + nr = filp->f_pos - FIRST_PROCESS_ENTRY; + + reaper = get_proc_task(filp->f_path.dentry->d_inode); if (!reaper) goto out_no_task;