Author: dannf
Date: Sun Mar 25 17:04:06 2007
New Revision: 8392
Added:
dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/
dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
Modified:
dists/etch/linux-2.6/debian/changelog
dists/etch/linux-2.6/debian/patches/series/12-extra
Log:
* bugfix/all/vserver/cross-context-renice-fix.patch
[SECURITY] Fix a vulnerability that permits renicing processes in
other contexts.
See CVE-2007-0241
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog (original)
+++ dists/etch/linux-2.6/debian/changelog Sun Mar 25 17:04:06 2007
@@ -44,6 +44,10 @@
* bugfix/bnx2_tx_avail-off-by-1-fix.patch
Fix a panic in the bnx2 driver caused by an off-by-one error
(closes: #410010)
+ * bugfix/all/vserver/cross-context-renice-fix.patch
+ [SECURITY] Fix a vulnerability that permits renicing processes in
+ other contexts.
+ See CVE-2007-0241
[ Bastian Blank ]
* xen: Fix highmem dma copy code. (closes: #415805)
Added:
dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
==============================================================================
--- (empty file)
+++
dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
Sun Mar 25 17:04:06 2007
@@ -0,0 +1,101 @@
+diff -urN source-i386-vserver.orig/include/linux/pid.h
source-i386-vserver/include/linux/pid.h
+--- source-i386-vserver.orig/include/linux/pid.h 2007-03-24
10:01:05.000000000 -0600
++++ source-i386-vserver/include/linux/pid.h 2007-03-24 10:35:23.000000000
-0600
+@@ -92,29 +92,39 @@
+ extern struct pid *alloc_pid(void);
+ extern void FASTCALL(free_pid(struct pid *pid));
+
+-#define pid_next(task, type) \
+- ((task)->pids[(type)].node.next)
+-
+-#define pid_next_task(task, type) \
+- hlist_entry(pid_next(task, type), struct task_struct, \
+- pids[(type)].node)
+-
+-
+-/* We could use hlist_for_each_entry_rcu here but it takes more arguments
+- * than the do_each_task_pid/while_each_task_pid. So we roll our own
+- * to preserve the existing interface.
+- */
+-#define do_each_task_pid(who, type, task) \
+- if ((task = find_task_by_pid_type(type, who))) { \
+- prefetch(pid_next(task, type)); \
+- do {
+-
+-#define while_each_task_pid(who, type, task) \
+- } while (pid_next(task, type) && ({ \
+- task = pid_next_task(task, type); \
+- rcu_dereference(task); \
+- prefetch(pid_next(task, type)); \
+- 1; }) ); \
+- }
++static inline pid_t pid_nr(struct pid *pid)
++{
++ pid_t nr = 0;
++ if (pid)
++ nr = pid->nr;
++ return nr;
++}
++
++
++#define do_each_task_pid(who, type, task)
\
++ do {
\
++ struct hlist_node *pos___;
\
++ struct pid *pid___ = find_pid(who);
\
++ if (pid___ != NULL)
\
++ hlist_for_each_entry_rcu((task), pos___,
\
++ &pid___->tasks[type], pids[type].node) \
++ if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_task_pid(who, type, task)
\
++ }
\
++ } while (0)
++
++
++#define do_each_pid_task(pid, type, task)
\
++ do {
\
++ struct hlist_node *pos___;
\
++ if (pid != NULL)
\
++ hlist_for_each_entry_rcu((task), pos___,
\
++ &pid->tasks[type], pids[type].node) \
++ if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_pid_task(pid, type, task)
\
++ }
\
++ } while (0)
+
+ #endif /* _LINUX_PID_H */
+diff -urN source-i386-vserver.orig/kernel/pid.c
source-i386-vserver/kernel/pid.c
+--- source-i386-vserver.orig/kernel/pid.c 2007-03-24 10:01:05.000000000
-0600
++++ source-i386-vserver/kernel/pid.c 2007-03-24 10:26:32.000000000 -0600
+@@ -256,6 +256,9 @@
+ struct task_struct * fastcall pid_task(struct pid *pid, enum pid_type type)
+ {
+ struct task_struct *result = NULL;
++
++ if (type == PIDTYPE_REALPID)
++ type = PIDTYPE_PID;
+ if (pid) {
+ struct hlist_node *first;
+ first = rcu_dereference(pid->tasks[type].first);
+@@ -278,11 +281,17 @@
+ */
+ struct task_struct *find_task_by_pid_type(int type, int nr)
+ {
++ struct task_struct *task;
++
+ if (type == PIDTYPE_PID)
+ nr = vx_rmap_pid(nr);
+- else if (type == PIDTYPE_REALPID)
+- type = PIDTYPE_PID;
+- return pid_task(find_pid(nr), type);
++
++ task = pid_task(find_pid(nr), type);
++ if (task && (type != PIDTYPE_REALPID) &&
++ /* maybe VX_WATCH_P in the future? */
++ !vx_check(task->xid, VX_WATCH|VX_IDENT))
++ return NULL;
++ return task;
+ }
+
+ EXPORT_SYMBOL(find_task_by_pid_type);
Modified: dists/etch/linux-2.6/debian/patches/series/12-extra
==============================================================================
--- dists/etch/linux-2.6/debian/patches/series/12-extra (original)
+++ dists/etch/linux-2.6/debian/patches/series/12-extra Sun Mar 25 17:04:06 2007
@@ -1 +1,2 @@
+ bugfix/all/xen/swiotlb-highmem-copy.patch *_xen *_xen-vserver
++ bugfix/all/vserver/cross-context-renice-fix.patch *_vserver *_xen-vserver
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
