From 4dfb415992e6fcdda49205fd4627bc1cf21f5fc4 Mon Sep 17 00:00:00 2001
From: dann frazier <dannf@debian.org>
Date: Sun, 25 Mar 2007 17:04:06 +0000
Subject: [PATCH] * bugfix/all/vserver/cross-context-renice-fix.patch  
 [SECURITY] Fix a vulnerability that permits renicing processes in   other
 contexts.   See CVE-2007-0241

svn path=/dists/etch/linux-2.6/; revision=8392
---
 debian/changelog                              |   4 +
 .../vserver/cross-context-renice-fix.patch    | 101 ++++++++++++++++++
 debian/patches/series/12-extra                |   1 +
 3 files changed, 106 insertions(+)
 create mode 100644 debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch

diff --git a/debian/changelog b/debian/changelog
index 335fd9ce8..dca945df6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,10 @@ linux-2.6 (2.6.18.dfsg.1-12) UNRELEASED; urgency=low
   * bugfix/bnx2_tx_avail-off-by-1-fix.patch
     Fix a panic in the bnx2 driver caused by an off-by-one error
     (closes: #410010)
+  * bugfix/all/vserver/cross-context-renice-fix.patch
+    [SECURITY] Fix a vulnerability that permits renicing processes in
+    other contexts.
+    See CVE-2007-0241
 
   [ Bastian Blank ]
   * xen: Fix highmem dma copy code. (closes: #415805)
diff --git a/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch b/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
new file mode 100644
index 000000000..21d5fcdd7
--- /dev/null
+++ b/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
@@ -0,0 +1,101 @@
+diff -urN source-i386-vserver.orig/include/linux/pid.h source-i386-vserver/include/linux/pid.h
+--- source-i386-vserver.orig/include/linux/pid.h	2007-03-24 10:01:05.000000000 -0600
++++ source-i386-vserver/include/linux/pid.h	2007-03-24 10:35:23.000000000 -0600
+@@ -92,29 +92,39 @@
+ extern struct pid *alloc_pid(void);
+ extern void FASTCALL(free_pid(struct pid *pid));
+ 
+-#define pid_next(task, type)					\
+-	((task)->pids[(type)].node.next)
+-
+-#define pid_next_task(task, type) 				\
+-	hlist_entry(pid_next(task, type), struct task_struct,	\
+-			pids[(type)].node)
+-
+-
+-/* We could use hlist_for_each_entry_rcu here but it takes more arguments
+- * than the do_each_task_pid/while_each_task_pid.  So we roll our own
+- * to preserve the existing interface.
+- */
+-#define do_each_task_pid(who, type, task)				\
+-	if ((task = find_task_by_pid_type(type, who))) {		\
+-		prefetch(pid_next(task, type));				\
+-		do {
+-
+-#define while_each_task_pid(who, type, task)				\
+-		} while (pid_next(task, type) &&  ({			\
+-				task = pid_next_task(task, type);	\
+-				rcu_dereference(task);			\
+-				prefetch(pid_next(task, type));		\
+-				1; }) );				\
+-	}
++static inline pid_t pid_nr(struct pid *pid)
++{
++	pid_t nr = 0;
++	if (pid)
++		nr = pid->nr;
++	return nr;
++}
++
++
++#define do_each_task_pid(who, type, task)					\
++	do {									\
++		struct hlist_node *pos___;					\
++		struct pid *pid___ = find_pid(who);				\
++		if (pid___ != NULL)						\
++			hlist_for_each_entry_rcu((task), pos___,		\
++			&pid___->tasks[type], pids[type].node)	\
++		if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_task_pid(who, type, task)					\
++			}							\
++	} while (0)
++
++
++#define do_each_pid_task(pid, type, task)					\
++	do {									\
++		struct hlist_node *pos___;					\
++		if (pid != NULL)						\
++			hlist_for_each_entry_rcu((task), pos___,		\
++			&pid->tasks[type], pids[type].node)	\
++		if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_pid_task(pid, type, task)					\
++			}							\
++	} while (0)
+ 
+ #endif /* _LINUX_PID_H */
+diff -urN source-i386-vserver.orig/kernel/pid.c source-i386-vserver/kernel/pid.c
+--- source-i386-vserver.orig/kernel/pid.c	2007-03-24 10:01:05.000000000 -0600
++++ source-i386-vserver/kernel/pid.c	2007-03-24 10:26:32.000000000 -0600
+@@ -256,6 +256,9 @@
+ struct task_struct * fastcall pid_task(struct pid *pid, enum pid_type type)
+ {
+ 	struct task_struct *result = NULL;
++
++	if (type == PIDTYPE_REALPID)
++		type = PIDTYPE_PID;
+ 	if (pid) {
+ 		struct hlist_node *first;
+ 		first = rcu_dereference(pid->tasks[type].first);
+@@ -278,11 +281,17 @@
+  */
+ struct task_struct *find_task_by_pid_type(int type, int nr)
+ {
++	struct task_struct *task;
++
+ 	if (type == PIDTYPE_PID)
+ 		nr = vx_rmap_pid(nr);
+-	else if (type == PIDTYPE_REALPID)
+-		type = PIDTYPE_PID;
+-	return pid_task(find_pid(nr), type);
++
++	task = pid_task(find_pid(nr), type);
++	if (task && (type != PIDTYPE_REALPID) &&
++		/* maybe VX_WATCH_P in the future? */
++		!vx_check(task->xid, VX_WATCH|VX_IDENT))
++		return NULL;
++	return task;
+ }
+ 
+ EXPORT_SYMBOL(find_task_by_pid_type);
diff --git a/debian/patches/series/12-extra b/debian/patches/series/12-extra
index 1e4a82b5e..45cff08b4 100644
--- a/debian/patches/series/12-extra
+++ b/debian/patches/series/12-extra
@@ -1 +1,2 @@
 + bugfix/all/xen/swiotlb-highmem-copy.patch *_xen *_xen-vserver
++ bugfix/all/vserver/cross-context-renice-fix.patch *_vserver *_xen-vserver