* bugfix/all/vserver/cross-context-renice-fix.patch
[SECURITY] Fix a vulnerability that permits renicing processes in other contexts. See CVE-2007-0241 svn path=/dists/etch/linux-2.6/; revision=8392
This commit is contained in:
parent
41c94c9772
commit
4dfb415992
|
@ -44,6 +44,10 @@ linux-2.6 (2.6.18.dfsg.1-12) UNRELEASED; urgency=low
|
||||||
* bugfix/bnx2_tx_avail-off-by-1-fix.patch
|
* bugfix/bnx2_tx_avail-off-by-1-fix.patch
|
||||||
Fix a panic in the bnx2 driver caused by an off-by-one error
|
Fix a panic in the bnx2 driver caused by an off-by-one error
|
||||||
(closes: #410010)
|
(closes: #410010)
|
||||||
|
* bugfix/all/vserver/cross-context-renice-fix.patch
|
||||||
|
[SECURITY] Fix a vulnerability that permits renicing processes in
|
||||||
|
other contexts.
|
||||||
|
See CVE-2007-0241
|
||||||
|
|
||||||
[ Bastian Blank ]
|
[ Bastian Blank ]
|
||||||
* xen: Fix highmem dma copy code. (closes: #415805)
|
* xen: Fix highmem dma copy code. (closes: #415805)
|
||||||
|
|
|
@ -0,0 +1,101 @@
|
||||||
|
diff -urN source-i386-vserver.orig/include/linux/pid.h source-i386-vserver/include/linux/pid.h
|
||||||
|
--- source-i386-vserver.orig/include/linux/pid.h 2007-03-24 10:01:05.000000000 -0600
|
||||||
|
+++ source-i386-vserver/include/linux/pid.h 2007-03-24 10:35:23.000000000 -0600
|
||||||
|
@@ -92,29 +92,39 @@
|
||||||
|
extern struct pid *alloc_pid(void);
|
||||||
|
extern void FASTCALL(free_pid(struct pid *pid));
|
||||||
|
|
||||||
|
-#define pid_next(task, type) \
|
||||||
|
- ((task)->pids[(type)].node.next)
|
||||||
|
-
|
||||||
|
-#define pid_next_task(task, type) \
|
||||||
|
- hlist_entry(pid_next(task, type), struct task_struct, \
|
||||||
|
- pids[(type)].node)
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-/* We could use hlist_for_each_entry_rcu here but it takes more arguments
|
||||||
|
- * than the do_each_task_pid/while_each_task_pid. So we roll our own
|
||||||
|
- * to preserve the existing interface.
|
||||||
|
- */
|
||||||
|
-#define do_each_task_pid(who, type, task) \
|
||||||
|
- if ((task = find_task_by_pid_type(type, who))) { \
|
||||||
|
- prefetch(pid_next(task, type)); \
|
||||||
|
- do {
|
||||||
|
-
|
||||||
|
-#define while_each_task_pid(who, type, task) \
|
||||||
|
- } while (pid_next(task, type) && ({ \
|
||||||
|
- task = pid_next_task(task, type); \
|
||||||
|
- rcu_dereference(task); \
|
||||||
|
- prefetch(pid_next(task, type)); \
|
||||||
|
- 1; }) ); \
|
||||||
|
- }
|
||||||
|
+static inline pid_t pid_nr(struct pid *pid)
|
||||||
|
+{
|
||||||
|
+ pid_t nr = 0;
|
||||||
|
+ if (pid)
|
||||||
|
+ nr = pid->nr;
|
||||||
|
+ return nr;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#define do_each_task_pid(who, type, task) \
|
||||||
|
+ do { \
|
||||||
|
+ struct hlist_node *pos___; \
|
||||||
|
+ struct pid *pid___ = find_pid(who); \
|
||||||
|
+ if (pid___ != NULL) \
|
||||||
|
+ hlist_for_each_entry_rcu((task), pos___, \
|
||||||
|
+ &pid___->tasks[type], pids[type].node) \
|
||||||
|
+ if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
|
||||||
|
+
|
||||||
|
+#define while_each_task_pid(who, type, task) \
|
||||||
|
+ } \
|
||||||
|
+ } while (0)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#define do_each_pid_task(pid, type, task) \
|
||||||
|
+ do { \
|
||||||
|
+ struct hlist_node *pos___; \
|
||||||
|
+ if (pid != NULL) \
|
||||||
|
+ hlist_for_each_entry_rcu((task), pos___, \
|
||||||
|
+ &pid->tasks[type], pids[type].node) \
|
||||||
|
+ if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
|
||||||
|
+
|
||||||
|
+#define while_each_pid_task(pid, type, task) \
|
||||||
|
+ } \
|
||||||
|
+ } while (0)
|
||||||
|
|
||||||
|
#endif /* _LINUX_PID_H */
|
||||||
|
diff -urN source-i386-vserver.orig/kernel/pid.c source-i386-vserver/kernel/pid.c
|
||||||
|
--- source-i386-vserver.orig/kernel/pid.c 2007-03-24 10:01:05.000000000 -0600
|
||||||
|
+++ source-i386-vserver/kernel/pid.c 2007-03-24 10:26:32.000000000 -0600
|
||||||
|
@@ -256,6 +256,9 @@
|
||||||
|
struct task_struct * fastcall pid_task(struct pid *pid, enum pid_type type)
|
||||||
|
{
|
||||||
|
struct task_struct *result = NULL;
|
||||||
|
+
|
||||||
|
+ if (type == PIDTYPE_REALPID)
|
||||||
|
+ type = PIDTYPE_PID;
|
||||||
|
if (pid) {
|
||||||
|
struct hlist_node *first;
|
||||||
|
first = rcu_dereference(pid->tasks[type].first);
|
||||||
|
@@ -278,11 +281,17 @@
|
||||||
|
*/
|
||||||
|
struct task_struct *find_task_by_pid_type(int type, int nr)
|
||||||
|
{
|
||||||
|
+ struct task_struct *task;
|
||||||
|
+
|
||||||
|
if (type == PIDTYPE_PID)
|
||||||
|
nr = vx_rmap_pid(nr);
|
||||||
|
- else if (type == PIDTYPE_REALPID)
|
||||||
|
- type = PIDTYPE_PID;
|
||||||
|
- return pid_task(find_pid(nr), type);
|
||||||
|
+
|
||||||
|
+ task = pid_task(find_pid(nr), type);
|
||||||
|
+ if (task && (type != PIDTYPE_REALPID) &&
|
||||||
|
+ /* maybe VX_WATCH_P in the future? */
|
||||||
|
+ !vx_check(task->xid, VX_WATCH|VX_IDENT))
|
||||||
|
+ return NULL;
|
||||||
|
+ return task;
|
||||||
|
}
|
||||||
|
|
||||||
|
EXPORT_SYMBOL(find_task_by_pid_type);
|
|
@ -1 +1,2 @@
|
||||||
+ bugfix/all/xen/swiotlb-highmem-copy.patch *_xen *_xen-vserver
|
+ bugfix/all/xen/swiotlb-highmem-copy.patch *_xen *_xen-vserver
|
||||||
|
+ bugfix/all/vserver/cross-context-renice-fix.patch *_vserver *_xen-vserver
|
||||||
|
|
Loading…
Reference in New Issue