From 0e076e3520b0fff06724564b68735d5e4cbfc954 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 5 Oct 2011 14:14:35 +0000 Subject: [PATCH] Make taskstats require root access (CVE-2011-2494) We want this fix everywhere, not just in rt! svn path=/dists/sid/linux-2.6/; revision=18151 --- debian/changelog | 1 + .../Make-TASKSTATS-require-root-access.patch | 37 +++++++++++++++++++ .../features/all/rt/patch-3.0.6-rt16.patch | 15 ++------ debian/patches/series/5 | 2 + 4 files changed, 43 insertions(+), 12 deletions(-) create mode 100644 debian/patches/bugfix/all/Make-TASKSTATS-require-root-access.patch diff --git a/debian/changelog b/debian/changelog index 89431d999..7ac1f83be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -55,6 +55,7 @@ linux-2.6 (3.0.0-5) UNRELEASED; urgency=low For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.5 http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.6 + * Make taskstats require root access (CVE-2011-2494) [ Uwe Kleine-König ] * [amd64] Update rt featureset to 3.0.6-rt16 (Closes: #643301) diff --git a/debian/patches/bugfix/all/Make-TASKSTATS-require-root-access.patch b/debian/patches/bugfix/all/Make-TASKSTATS-require-root-access.patch new file mode 100644 index 000000000..0ecbcf18b --- /dev/null +++ b/debian/patches/bugfix/all/Make-TASKSTATS-require-root-access.patch @@ -0,0 +1,37 @@ +From: Linus Torvalds +Date: Mon, 19 Sep 2011 17:04:37 -0700 +Subject: [PATCH] Make TASKSTATS require root access + +commit 1a51410abe7d0ee4b1d112780f46df87d3621043 upstream. + +Ok, this isn't optimal, since it means that 'iotop' needs admin +capabilities, and we may have to work on this some more. But at the +same time it is very much not acceptable to let anybody just read +anybody elses IO statistics quite at this level. + +Use of the GENL_ADMIN_PERM suggested by Johannes Berg as an alternative +to checking the capabilities by hand. + +Reported-by: Vasiliy Kulikov +Cc: Johannes Berg +Acked-by: Balbir Singh +Signed-off-by: Linus Torvalds +--- + kernel/taskstats.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/kernel/taskstats.c b/kernel/taskstats.c +index e19ce14..e660464 100644 +--- a/kernel/taskstats.c ++++ b/kernel/taskstats.c +@@ -655,6 +655,7 @@ static struct genl_ops taskstats_ops = { + .cmd = TASKSTATS_CMD_GET, + .doit = taskstats_user_cmd, + .policy = taskstats_cmd_get_policy, ++ .flags = GENL_ADMIN_PERM, + }; + + static struct genl_ops cgroupstats_ops = { +-- +1.7.6.3 + diff --git a/debian/patches/features/all/rt/patch-3.0.6-rt16.patch b/debian/patches/features/all/rt/patch-3.0.6-rt16.patch index 127cacb5d..40bd5d2be 100644 --- a/debian/patches/features/all/rt/patch-3.0.6-rt16.patch +++ b/debian/patches/features/all/rt/patch-3.0.6-rt16.patch @@ -1,3 +1,6 @@ +[bwh: Dropped fix to kernel/taskstats.c applied separately in + bugfix/all/Make-TASKSTATS-require-root-access.patch] + Index: linux-2.6/mm/memory.c =================================================================== --- linux-2.6.orig/mm/memory.c @@ -1228,18 +1231,6 @@ Index: linux-2.6/arch/x86/kernel/irq.c inc_irq_stat(x86_platform_ipis); if (x86_platform_ipi_callback) -Index: linux-2.6/kernel/taskstats.c -=================================================================== ---- linux-2.6.orig/kernel/taskstats.c -+++ linux-2.6/kernel/taskstats.c -@@ -657,6 +657,7 @@ static struct genl_ops taskstats_ops = { - .cmd = TASKSTATS_CMD_GET, - .doit = taskstats_user_cmd, - .policy = taskstats_cmd_get_policy, -+ .flags = GENL_ADMIN_PERM, - }; - - static struct genl_ops cgroupstats_ops = { Index: linux-2.6/kernel/trace/ftrace.c =================================================================== --- linux-2.6.orig/kernel/trace/ftrace.c diff --git a/debian/patches/series/5 b/debian/patches/series/5 index f21c84dfe..776730c0a 100644 --- a/debian/patches/series/5 +++ b/debian/patches/series/5 @@ -7,3 +7,5 @@ - bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch + bugfix/all/stable/3.0.5.patch + bugfix/all/stable/3.0.6.patch + ++ bugfix/all/Make-TASKSTATS-require-root-access.patch