From patchwork Wed May 18 21:16:47 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Herton Ronaldo Krzesinski X-Patchwork-Id: 96249 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 7EE07B6F6C for ; Thu, 19 May 2011 07:17:09 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QMo72-0006pX-Sq; Wed, 18 May 2011 21:17:00 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QMo70-0006pQ-Rz for kernel-team@lists.ubuntu.com; Wed, 18 May 2011 21:16:58 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QMo70-0007Li-Pm for ; Wed, 18 May 2011 21:16:58 +0000 Received: from [187.58.247.164] (helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1QMo6z-0004X8-UI for kernel-team@lists.ubuntu.com; Wed, 18 May 2011 21:16:58 +0000 From: Herton Ronaldo Krzesinski To: kernel-team@lists.ubuntu.com Subject: =?UTF-8?q?=5BCVE-2011-1593=5D=5BHardy=5D=5BPATCH=201/2=5D=20next=5Fpidmap=3A=20fix=20overflow=20condition=2C=20CVE-2011-1593?= Date: Wed, 18 May 2011 18:16:47 -0300 Message-Id: <1305753408-6848-2-git-send-email-herton.krzesinski@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1305753408-6848-1-git-send-email-herton.krzesinski@canonical.com> References: <1305753408-6848-1-git-send-email-herton.krzesinski@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Linus Torvalds CVE-2011-1593 BugLink: https://bugs.launchpad.net/bugs/784727 Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12, 2.6.35.13, 2.6.38.4 next_pidmap() just quietly accepted whatever 'last' pid that was passed in, which is not all that safe when one of the users is /proc. Admittedly the proc code should do some sanity checking on the range (and that will be the next commit), but that doesn't mean that the helper functions should just do that pidmap pointer arithmetic without checking the range of its arguments. So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1" doesn't really matter, the for-loop does check against the end of the pidmap array properly (it's only the actual pointer arithmetic overflow case we need to worry about, and going one bit beyond isn't going to overflow). [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ] Reported-by: Tavis Ormandy Analyzed-by: Robert Święcki Cc: Eric W. Biederman Cc: Pavel Emelyanov Signed-off-by: Linus Torvalds (backported from commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream) Signed-off-by: Herton Ronaldo Krzesinski Acked-by: Brad Figg Acked-by: John Johansen --- .../openvz/patchset/0001-2.6.24-ovz002.patch | 2 +- kernel/pid.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch index 729b278..6a8a613 100644 --- a/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch +++ b/debian/binary-custom.d/openvz/patchset/0001-2.6.24-ovz002.patch @@ -62556,7 +62556,7 @@ Index: kernel/kernel/pid.c + return pid; +} + - static int next_pidmap(struct pid_namespace *pid_ns, int last) + static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last) { int offset; @@ -198,6 +231,7 @@ diff --git a/kernel/pid.c b/kernel/pid.c index f815455..29f0ac0 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -181,11 +181,14 @@ static int alloc_pidmap(struct pid_namespace *pid_ns) return -1; } -static int next_pidmap(struct pid_namespace *pid_ns, int last) +static int next_pidmap(struct pid_namespace *pid_ns, unsigned int last) { int offset; struct pidmap *map, *end; + if (last >= PID_MAX_LIMIT) + return -1; + offset = (last + 1) & BITS_PER_PAGE_MASK; map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE]; end = &pid_ns->pidmap[PIDMAP_ENTRIES];