[PATCH 0/3] CVE-2010-4248

Tim Gardner tim.gardner at canonical.com
Fri Feb 4 13:56:50 UTC 2011 

On 02/03/2011 01:01 PM, Brad Figg wrote:
> Following this email will be three patches associated with this CVE. The
> patches cover Hardy, Karmic and Maverick. This CVE has already been fixed
> in Lucid via an upstream stable release.
>
>      CVE-2010-4248
>
>      BugLink: http://bugs.launchpad.net/bugs/712609
>
>      posix-cpu-timers.c correctly assumes that the dying process does
>      posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
>      timers from signal->cpu_timers list.
>
>      But, it also assumes that timer->it.cpu.task is always the group
>      leader, and thus the dead ->task means the dead thread group.
>
>      This is obviously not true after de_thread() changes the leader.
>      After that almost every posix_cpu_timer_ method has problems.
>
>      It is not simple to fix this bug correctly. First of all, I think
>      that timer->it.cpu should use struct pid instead of task_struct.
>      Also, the locking should be reworked completely. In particular,
>      tasklist_lock should not be used at all. This all needs a lot of
>      nontrivial and hard-to-test changes.
>
>      Change __exit_signal() to do posix_cpu_timers_exit_group() when
>      the old leader dies during exec. This is not the fix, just the
>      temporary hack to hide the problem for 2.6.37 and stable. IOW,
>      this is obviously wrong but this is what we currently have anyway:
>      cpu timers do not work after mt exec.
>
>      In theory this change adds another race. The exiting leader can
>      detach the timers which were attached to the new leader. However,
>      the window between de_thread() and release_task() is small, we
>      can pretend that sys_timer_create() was called before de_thread().
>
>      Signed-off-by: Oleg Nesterov<oleg at redhat.com>
>      Signed-off-by: Linus Torvalds<torvalds at linux-foundation.org>
>
>      (cherry-picked from commit e0a70217107e6f9844628120412cb27bb4cea194)
>      Signed-off-by: Brad Figg<brad.figg at canonical.com>
>
>
>
>
> Oleg Nesterov (1):
>    posix-cpu-timers: workaround to suppress the problems with mt exec,
>      CVE-2010-4248
>
>   kernel/exit.c |    8 ++++++++
>   1 files changed, 8 insertions(+), 0 deletions(-)
>
>

This is so twisted that I have to trust that Oleg and Linus know what 
they are doing.

Acked-by: Tim Gardner <tim.gardner at canonical.com>

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list