Commits

Christos Nouskas committed 6034bbb

Fix CVE-2012-0056 whiteline crap

  • Participants
  • Parent commits 7aab298

Comments (0)

Files changed (2)

File CVE-2012-0056.patch

 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
 @@ -198,65 +198,7 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
-	return result;
+ 	return result;
  }
-
+ 
 -static struct mm_struct *__check_mem_permission(struct task_struct *task)
 -{
 -	struct mm_struct *mm;
 -struct mm_struct *mm_for_maps(struct task_struct *task)
 +static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
  {
-	struct mm_struct *mm;
-	int err;
+ 	struct mm_struct *mm;
+ 	int err;
 @@ -267,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
-
-	mm = get_task_mm(task);
-	if (mm && mm != current->mm &&
+ 
+ 	mm = get_task_mm(task);
+ 	if (mm && mm != current->mm &&
 -			!ptrace_may_access(task, PTRACE_MODE_READ)) {
 +			!ptrace_may_access(task, mode)) {
-		mmput(mm);
-		mm = ERR_PTR(-EACCES);
-	}
+ 		mmput(mm);
+ 		mm = ERR_PTR(-EACCES);
+ 	}
 @@ -276,6 +218,11 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
-	return mm;
+ 	return mm;
  }
-
+ 
 +struct mm_struct *mm_for_maps(struct task_struct *task)
 +{
 +	return mm_access(task, PTRACE_MODE_READ);
 +
  static int proc_pid_cmdline(struct task_struct *task, char * buffer)
  {
-	int res = 0;
+ 	int res = 0;
 @@ -752,38 +699,39 @@ static const struct file_operations proc_single_file_operations = {
-
+ 
  static int mem_open(struct inode* inode, struct file* file)
  {
 -	file->private_data = (void*)((long)current->self_exec_id);
 +	if (IS_ERR(mm))
 +		return PTR_ERR(mm);
 +
-	/* OK to pass negative loff_t, we can catch out-of-range */
-	file->f_mode |= FMODE_UNSIGNED_OFFSET;
+ 	/* OK to pass negative loff_t, we can catch out-of-range */
+ 	file->f_mode |= FMODE_UNSIGNED_OFFSET;
 +	file->private_data = mm;
 +
-	return 0;
+ 	return 0;
  }
-
+ 
  static ssize_t mem_read(struct file * file, char __user * buf,
-			size_t count, loff_t *ppos)
+ 			size_t count, loff_t *ppos)
  {
 -	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
 +	int ret;
-	char *page;
-	unsigned long src = *ppos;
+ 	char *page;
+ 	unsigned long src = *ppos;
 -	int ret = -ESRCH;
 -	struct mm_struct *mm;
 +	struct mm_struct *mm = file->private_data;
-
+ 
 -	if (!task)
 -		goto out_no_task;
 +	if (!mm)
 +		return 0;
-
+ 
 -	ret = -ENOMEM;
-	page = (char *)__get_free_page(GFP_TEMPORARY);
-	if (!page)
+ 	page = (char *)__get_free_page(GFP_TEMPORARY);
+ 	if (!page)
 -		goto out;
 -
 -	mm = check_mem_permission(task);
 -		goto out_free;
 -
 -	ret = -EIO;
--
+- 
 -	if (file->private_data != (void*)((long)current->self_exec_id))
 -		goto out_put;
 +		return -ENOMEM;
-
-	ret = 0;
-
+ 
+ 	ret = 0;
+  
 @@ -810,13 +758,7 @@ static ssize_t mem_read(struct file * file, char __user * buf,
-	}
-	*ppos = src;
-
+ 	}
+ 	*ppos = src;
+ 
 -out_put:
 -	mmput(mm);
 -out_free:
-	free_page((unsigned long) page);
+ 	free_page((unsigned long) page);
 -out:
 -	put_task_struct(task);
 -out_no_task:
-	return ret;
+ 	return ret;
  }
-
+ 
 @@ -825,27 +767,15 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
  {
-	int copied;
-	char *page;
+ 	int copied;
+ 	char *page;
 -	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-	unsigned long dst = *ppos;
+ 	unsigned long dst = *ppos;
 -	struct mm_struct *mm;
 +	struct mm_struct *mm = file->private_data;
-
+ 
 -	copied = -ESRCH;
 -	if (!task)
 -		goto out_no_task;
 +	if (!mm)
 +		return 0;
-
+ 
 -	copied = -ENOMEM;
-	page = (char *)__get_free_page(GFP_TEMPORARY);
-	if (!page)
+ 	page = (char *)__get_free_page(GFP_TEMPORARY);
+ 	if (!page)
 -		goto out_task;
 -
 -	mm = check_mem_permission(task);
 -	if (file->private_data != (void *)((long)current->self_exec_id))
 -		goto out_mm;
 +		return -ENOMEM;
-
-	copied = 0;
-	while (count > 0) {
+ 
+ 	copied = 0;
+ 	while (count > 0) {
 @@ -869,13 +799,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
-	}
-	*ppos = dst;
-
+ 	}
+ 	*ppos = dst;
+ 
 -out_mm:
 -	mmput(mm);
 -out_free:
-	free_page((unsigned long) page);
+ 	free_page((unsigned long) page);
 -out_task:
 -	put_task_struct(task);
 -out_no_task:
-	return copied;
+ 	return copied;
  }
-
+ 
 @@ -895,11 +819,20 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
-	return file->f_pos;
+ 	return file->f_pos;
  }
-
+ 
 +static int mem_release(struct inode *inode, struct file *file)
 +{
 +	struct mm_struct *mm = file->private_data;
 +}
 +
  static const struct file_operations proc_mem_operations = {
-	.llseek		= mem_lseek,
-	.read		= mem_read,
-	.write		= mem_write,
-	.open		= mem_open,
+ 	.llseek		= mem_lseek,
+ 	.read		= mem_read,
+ 	.write		= mem_write,
+ 	.open		= mem_open,
 +	.release	= mem_release,
  };
-
+ 
  static ssize_t environ_read(struct file *file, char __user *buf,
---
+-- 
 1.7.6.5
   cd ${srcdir}/linux-${_basekernel}
   # This is for me, to test the PKGBUILD
 if [[ $NOEXTRACT = "0" ]]; then
+
+     # Local root exploit fix: http://blog.zx2c4.com/749
+     patch -p1 -i "${srcdir}/CVE-2012-0056.patch"
+
      # Arch linux logo
      msg "Replacing penguins with arches"
      bzip2 -dk ${startdir}/logo_linux_*.bz2
         cd ..
         cp -a ${_aufs3name}/{Documentation,fs,include} ${srcdir}/linux-${_basekernel}/
         for _patch in ${_aufs3name}/*.patch; do
+        msg "Patching aufs3"
 	    patch -Np1 < ${_patch} || _aufs3fail=KRAKRA
         done
         if [[ ${_aufs3fail} = "KRAKRA" ]]; then
         fi
     fi
 
-  # Local root exploit fix: http://blog.zx2c4.com/749
-  patch -Np1 -i "${srcdir}/CVE-2012-0056.patch"
-
 
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
             'f0ab8d5f2c1ab29b5bcc1d7be251f36796489bae2f6486fac49595fa4c895770'
             '4bc5a3fc40bf60bd4b362b519219cae56141a9f209bd2cf6bed25c1bd434e2cc'
             '549a33278c17af6aa9ca5d3cf2abe3a0b1010d7c66e53d2a357a38ace25f8ea1'
-            '697d37137e8ae7584534f1d475e9d92f7af895f8c93610e4c7c57b56cccf3ef5'
+            '7782b725f2ecdbf5849e2571184164e95067bad65eb2f34f8fbd0dbd7f9bfaf4'
             '847981649407470de69dc989e8a1a5b44eae75c5403d46e863ce6bacd47c25fb')