[APPLIED][PATCH 0/3] CVE-2010-4248

Stefan Bader stefan.bader at canonical.com
Mon Feb 7 09:49:36 UTC 2011 

On 02/03/2011 09:01 PM, Brad Figg wrote:
> Following this email will be three patches associated with this CVE. The
> patches cover Hardy, Karmic and Maverick. This CVE has already been fixed
> in Lucid via an upstream stable release.
> 
>     CVE-2010-4248
>     
>     BugLink: http://bugs.launchpad.net/bugs/712609
>     
>     posix-cpu-timers.c correctly assumes that the dying process does
>     posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
>     timers from signal->cpu_timers list.
>     
>     But, it also assumes that timer->it.cpu.task is always the group
>     leader, and thus the dead ->task means the dead thread group.
>     
>     This is obviously not true after de_thread() changes the leader.
>     After that almost every posix_cpu_timer_ method has problems.
>     
>     It is not simple to fix this bug correctly. First of all, I think
>     that timer->it.cpu should use struct pid instead of task_struct.
>     Also, the locking should be reworked completely. In particular,
>     tasklist_lock should not be used at all. This all needs a lot of
>     nontrivial and hard-to-test changes.
>     
>     Change __exit_signal() to do posix_cpu_timers_exit_group() when
>     the old leader dies during exec. This is not the fix, just the
>     temporary hack to hide the problem for 2.6.37 and stable. IOW,
>     this is obviously wrong but this is what we currently have anyway:
>     cpu timers do not work after mt exec.
>     
>     In theory this change adds another race. The exiting leader can
>     detach the timers which were attached to the new leader. However,
>     the window between de_thread() and release_task() is small, we
>     can pretend that sys_timer_create() was called before de_thread().
>     
>     Signed-off-by: Oleg Nesterov <oleg at redhat.com>
>     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
>     
>     (cherry-picked from commit e0a70217107e6f9844628120412cb27bb4cea194)
>     Signed-off-by: Brad Figg <brad.figg at canonical.com>
> 
> 
> 
> 
> Oleg Nesterov (1):
>   posix-cpu-timers: workaround to suppress the problems with mt exec,
>     CVE-2010-4248
> 
>  kernel/exit.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
> 
>

More information about the kernel-team mailing list