2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------ From: Kees Cook <[email protected]> commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream. While mm->start_stack was protected from cross-uid viewing (commit f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged processes")), the start_code and end_code values were not. This would allow the text location of a PIE binary to leak, defeating ASLR. Note that the value "1" is used instead of "0" for a protected value since "ps", "killall", and likely other readers of /proc/pid/stat, take start_code of "0" to mean a kernel thread and will misbehave. Thanks to Brad Spengler for pointing this out. Addresses CVE-2011-0726 Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Andi Kleen <[email protected]> Cc: Alexey Dobriyan <[email protected]> Cc: David Howells <[email protected]> Cc: Eugene Teo <[email protected]> Cc: Martin Schwidefsky <[email protected]> Cc: Brad Spengler <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- fs/proc/array.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: linux-2.6.35.y/fs/proc/array.c =================================================================== --- linux-2.6.35.y.orig/fs/proc/array.c 2011-03-29 23:03:00.892277339 -0700 +++ linux-2.6.35.y/fs/proc/array.c 2011-03-29 23:03:02.997223479 -0700 @@ -489,8 +489,8 @@ vsize, mm ? get_mm_rss(mm) : 0, rsslim, - mm ? mm->start_code : 0, - mm ? mm->end_code : 0, + mm ? (permitted ? mm->start_code : 1) : 0, + mm ? (permitted ? mm->end_code : 1) : 0, (permitted && mm) ? mm->start_stack : 0, esp, eip, _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
