Commits

Christos Nouskas committed 1d1187d

3.2.2-1

  • Participants
  • Parent commits ae835ab

Comments (0)

Files changed (3)

CVE-2012-0056.patch

-From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 17 Jan 2012 15:21:19 -0800
-Subject: [PATCH] proc: clean up and fix /proc/<pid>/mem handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
-robust, and it also doesn't match the permission checking of any of the
-other related files.
-
-This changes it to do the permission checks at open time, and instead of
-tracking the process, it tracks the VM at the time of the open.  That
-simplifies the code a lot, but does mean that if you hold the file
-descriptor open over an execve(), you'll continue to read from the _old_
-VM.
-
-That is different from our previous behavior, but much simpler.  If
-somebody actually finds a load where this matters, we'll need to revert
-this commit.
-
-I suspect that nobody will ever notice - because the process mapping
-addresses will also have changed as part of the execve.  So you cannot
-actually usefully access the fd across a VM change simply because all
-the offsets for IO would have changed too.
-
-Reported-by: Jüri Aedla <asd@ut.ee>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/proc/base.c |  145 +++++++++++++++-----------------------------------------
- 1 files changed, 39 insertions(+), 106 deletions(-)
-
-diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 5485a53..662ddf2 100644
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -198,65 +198,7 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
- 	return result;
- }
- 
--static struct mm_struct *__check_mem_permission(struct task_struct *task)
--{
--	struct mm_struct *mm;
--
--	mm = get_task_mm(task);
--	if (!mm)
--		return ERR_PTR(-EINVAL);
--
--	/*
--	 * A task can always look at itself, in case it chooses
--	 * to use system calls instead of load instructions.
--	 */
--	if (task == current)
--		return mm;
--
--	/*
--	 * If current is actively ptrace'ing, and would also be
--	 * permitted to freshly attach with ptrace now, permit it.
--	 */
--	if (task_is_stopped_or_traced(task)) {
--		int match;
--		rcu_read_lock();
--		match = (ptrace_parent(task) == current);
--		rcu_read_unlock();
--		if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
--			return mm;
--	}
--
--	/*
--	 * No one else is allowed.
--	 */
--	mmput(mm);
--	return ERR_PTR(-EPERM);
--}
--
--/*
-- * If current may access user memory in @task return a reference to the
-- * corresponding mm, otherwise ERR_PTR.
-- */
--static struct mm_struct *check_mem_permission(struct task_struct *task)
--{
--	struct mm_struct *mm;
--	int err;
--
--	/*
--	 * Avoid racing if task exec's as we might get a new mm but validate
--	 * against old credentials.
--	 */
--	err = mutex_lock_killable(&task->signal->cred_guard_mutex);
--	if (err)
--		return ERR_PTR(err);
--
--	mm = __check_mem_permission(task);
--	mutex_unlock(&task->signal->cred_guard_mutex);
--
--	return mm;
--}
--
--struct mm_struct *mm_for_maps(struct task_struct *task)
-+static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
- {
- 	struct mm_struct *mm;
- 	int err;
-@@ -267,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
- 
- 	mm = get_task_mm(task);
- 	if (mm && mm != current->mm &&
--			!ptrace_may_access(task, PTRACE_MODE_READ)) {
-+			!ptrace_may_access(task, mode)) {
- 		mmput(mm);
- 		mm = ERR_PTR(-EACCES);
- 	}
-@@ -276,6 +218,11 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
- 	return mm;
- }
- 
-+struct mm_struct *mm_for_maps(struct task_struct *task)
-+{
-+	return mm_access(task, PTRACE_MODE_READ);
-+}
-+
- static int proc_pid_cmdline(struct task_struct *task, char * buffer)
- {
- 	int res = 0;
-@@ -752,38 +699,39 @@ static const struct file_operations proc_single_file_operations = {
- 
- static int mem_open(struct inode* inode, struct file* file)
- {
--	file->private_data = (void*)((long)current->self_exec_id);
-+	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-+	struct mm_struct *mm;
-+
-+	if (!task)
-+		return -ESRCH;
-+
-+	mm = mm_access(task, PTRACE_MODE_ATTACH);
-+	put_task_struct(task);
-+
-+	if (IS_ERR(mm))
-+		return PTR_ERR(mm);
-+
- 	/* OK to pass negative loff_t, we can catch out-of-range */
- 	file->f_mode |= FMODE_UNSIGNED_OFFSET;
-+	file->private_data = mm;
-+
- 	return 0;
- }
- 
- static ssize_t mem_read(struct file * file, char __user * buf,
- 			size_t count, loff_t *ppos)
- {
--	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-+	int ret;
- 	char *page;
- 	unsigned long src = *ppos;
--	int ret = -ESRCH;
--	struct mm_struct *mm;
-+	struct mm_struct *mm = file->private_data;
- 
--	if (!task)
--		goto out_no_task;
-+	if (!mm)
-+		return 0;
- 
--	ret = -ENOMEM;
- 	page = (char *)__get_free_page(GFP_TEMPORARY);
- 	if (!page)
--		goto out;
--
--	mm = check_mem_permission(task);
--	ret = PTR_ERR(mm);
--	if (IS_ERR(mm))
--		goto out_free;
--
--	ret = -EIO;
-- 
--	if (file->private_data != (void*)((long)current->self_exec_id))
--		goto out_put;
-+		return -ENOMEM;
- 
- 	ret = 0;
-  
-@@ -810,13 +758,7 @@ static ssize_t mem_read(struct file * file, char __user * buf,
- 	}
- 	*ppos = src;
- 
--out_put:
--	mmput(mm);
--out_free:
- 	free_page((unsigned long) page);
--out:
--	put_task_struct(task);
--out_no_task:
- 	return ret;
- }
- 
-@@ -825,27 +767,15 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
- {
- 	int copied;
- 	char *page;
--	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
- 	unsigned long dst = *ppos;
--	struct mm_struct *mm;
-+	struct mm_struct *mm = file->private_data;
- 
--	copied = -ESRCH;
--	if (!task)
--		goto out_no_task;
-+	if (!mm)
-+		return 0;
- 
--	copied = -ENOMEM;
- 	page = (char *)__get_free_page(GFP_TEMPORARY);
- 	if (!page)
--		goto out_task;
--
--	mm = check_mem_permission(task);
--	copied = PTR_ERR(mm);
--	if (IS_ERR(mm))
--		goto out_free;
--
--	copied = -EIO;
--	if (file->private_data != (void *)((long)current->self_exec_id))
--		goto out_mm;
-+		return -ENOMEM;
- 
- 	copied = 0;
- 	while (count > 0) {
-@@ -869,13 +799,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
- 	}
- 	*ppos = dst;
- 
--out_mm:
--	mmput(mm);
--out_free:
- 	free_page((unsigned long) page);
--out_task:
--	put_task_struct(task);
--out_no_task:
- 	return copied;
- }
- 
-@@ -895,11 +819,20 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
- 	return file->f_pos;
- }
- 
-+static int mem_release(struct inode *inode, struct file *file)
-+{
-+	struct mm_struct *mm = file->private_data;
-+
-+	mmput(mm);
-+	return 0;
-+}
-+
- static const struct file_operations proc_mem_operations = {
- 	.llseek		= mem_lseek,
- 	.read		= mem_read,
- 	.write		= mem_write,
- 	.open		= mem_open,
-+	.release	= mem_release,
- };
- 
- static ssize_t environ_read(struct file *file, char __user *buf,
--- 
-1.7.6.5
 _major=3
 _minor=2
 #_patchlevel=0
-_subversion=1
+#_subversion=1
 _basekernel=$_major.$_minor
 _pkgname=linux-pf
-_pfrel=1
+_pfrel=2
 _kernelname=-pf
 _pfpatchhome="http://pf.natalenko.name/sources/${_basekernel}/"
 _pfpatchname="patch-${_basekernel}.${_pfrel}${_kernelname}"
 pkgname=('linux-pf')
 true && pkgname=('linux-pf' 'linux-pf-headers')
 pkgver=${_basekernel}.${_pfrel}
-pkgrel=6
+pkgrel=1
 arch=('i686' 'x86_64')
 url="http://pf.natalenko.name/"
 license=('GPL2')
 	i915-gpu-finish.patch
 	i915-fix-ghost-tv-output.patch
 	usb-add-reset-resume-quirk-for-several-webcams.patch
-	CVE-2012-0056.patch		# avoid local priviledge escalation by SUID
 	${_pfpatchhome}${_pfpatchname}.bz2)	# the -pf patchset
 
 _aufs3git="git://aufs.git.sourceforge.net/gitroot/aufs/aufs3-standalone.git"
   # This is for me, to test the PKGBUILD
 if [[ $NOEXTRACT = "0" ]]; then
 
-     # Local root exploit fix: http://blog.zx2c4.com/749
-     patch -p1 -i "${srcdir}/CVE-2012-0056.patch"
-
      # Arch linux logo
      msg "Replacing penguins with arches"
      bzip2 -dk ${startdir}/logo_linux_*.bz2
  pkgdesc=${_pkgdesc}
  groups=('base')
  backup=(etc/mkinitcpio.d/${_pkgname}.preset)
- depends=('coreutils' 'linux-firmware' 'module-init-tools>=3.16' 'mkinitcpio>=0.7')
+ depends=('coreutils' 'linux-firmware' 'kmod' 'mkinitcpio>=0.7')
  optdepends=('linux-docs: Kernel hackers manual - HTML documentation that comes with the Linux kernel.'
 	    'crda: to set the correct wireless channels of your country'
 	    'pm-utils: utilities and scripts for suspend and hibernate power management'
             'f0ab8d5f2c1ab29b5bcc1d7be251f36796489bae2f6486fac49595fa4c895770'
             '4bc5a3fc40bf60bd4b362b519219cae56141a9f209bd2cf6bed25c1bd434e2cc'
             '549a33278c17af6aa9ca5d3cf2abe3a0b1010d7c66e53d2a357a38ace25f8ea1'
-            '7782b725f2ecdbf5849e2571184164e95067bad65eb2f34f8fbd0dbd7f9bfaf4'
-            '847981649407470de69dc989e8a1a5b44eae75c5403d46e863ce6bacd47c25fb')
+            'aa2158727101785b7e7da7c7613badc77aca64df4787c0b55e6220638808aa28')

build_target_pkgs.sh

  done
 else
   _config="config"
-  targets="CORE2 ATOM K8 PENTIUM4 PENTIUMIII PENTIUMM K7"
+  targets="CORE2 PENTIUMIII PENTIUMM ATOM K8 PENTIUM4 K7"
   for cpu in $targets; do
    case $cpu in
     ATOM)