Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-12 08:48:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-next/kernel
History
Nelson Elhage 33dd94ae1c do_exit(): make sure that we run with get_fs() == USER_DS 
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit().  do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.

This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing.  I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.

A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.

Let's just stick it in do_exit instead.

[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-12-02 14:51:16 -08:00
..
debug
kdb: fix crash when KDB_BASE_CMD_MAX is exceeded
2010-11-17 13:54:57 -06:00
gcov
llseek: automatically add .llseek fop
2010-10-15 15:53:27 +02:00
irq
Merge branches 'irq-core-for-linus' and 'core-locking-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
2010-10-31 20:40:24 -04:00
power
PM / OPP: Hide OPP configuration when SoCs do not provide an implementation
2010-11-11 01:51:26 +01:00
time
ntp: Clamp PLL update interval
2010-09-09 20:48:37 +02:00
trace
Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
2010-11-27 07:28:17 +09:00
.gitignore
acct.c
pass a struct path to vfs_statfs
2010-08-09 16:48:42 -04:00
async.c
async: use workqueue for worker pool
2010-07-14 11:29:46 +02:00
audit_tree.c
in untag_chunk() we need to do alloc_chunk() a bit earlier
2010-10-30 02:18:32 -04:00
audit_watch.c
audit: make functions static
2010-10-30 01:42:19 -04:00
audit.c
audit: Use rcu for task lookup protection
2010-10-30 08:45:42 -04:00
audit.h
audit: make functions static
2010-10-30 01:42:19 -04:00
auditfilter.c
Audit: add support to match lsm labels on user audit messages
2010-10-30 01:41:57 -04:00
auditsc.c
audit mmap
2010-10-30 08:45:43 -04:00
backtracetest.c
bounds.c
kbuild: move bounds.h to include/generated
2009-12-12 13:08:14 +01:00
capability.c
sched: Remove remaining USER_SCHED code
2010-04-02 20:12:00 +02:00
cgroup_freezer.c
cgroup_freezer: update_freezer_state() does incorrect state transitions
2010-10-27 18:03:08 -07:00
cgroup.c
convert cgroup and cpuset
2010-10-29 04:17:06 -04:00
compat.c
compat: Make compat_alloc_user_space() incorporate the access_ok()
2010-09-14 16:08:45 -07:00
configs.c
llseek: automatically add .llseek fop
2010-10-15 15:53:27 +02:00
cpu.c
sched: adjust when cpu_active and cpuset configurations are updated during cpu on/offlining
2010-06-08 21:40:36 +02:00
cpuset.c
convert cgroup and cpuset
2010-10-29 04:17:06 -04:00
cred.c
signals: move cred_guard_mutex from task_struct to signal_struct
2010-10-27 18:03:12 -07:00
delayacct.c
headers: taskstats_kern.h trim
2009-09-18 09:48:52 -07:00
dma.c
elfcore.c
elf coredump: add extended numbering support
2010-03-06 11:26:46 -08:00
exec_domain.c
sys_personality: remove the bogus checks in sys_personality()->__set_personality() path
2010-08-09 20:45:05 -07:00
exit.c
do_exit(): make sure that we run with get_fs() == USER_DS
2010-12-02 14:51:16 -08:00
extable.c
fork.c
signals: move cred_guard_mutex from task_struct to signal_struct
2010-10-27 18:03:12 -07:00
freezer.c
sched: fix nr_uninterruptible accounting of frozen tasks really
2009-07-18 14:19:53 +02:00
futex_compat.c
futex: Address compiler warnings in exit_robust_list
2010-11-10 13:27:50 +01:00
futex.c
futex: Address compiler warnings in exit_robust_list
2010-11-10 13:27:50 +01:00
groups.c
kernel/groups.c: fix integer overflow in groups_search
2010-09-09 18:57:24 -07:00
hrtimer.c
hrtimer: Preserve timer state in remove_hrtimer()
2010-10-14 13:29:59 +02:00
hung_task.c
lockup detector: Fix grammar by adding a missing "to" in the comments
2010-08-17 09:11:52 +02:00
hw_breakpoint.c
perf,hw_breakpoint: Initialize hardware api earlier
2010-11-12 14:51:55 +01:00
irq_work.c
irq_work: Drop cmpxchg() result
2010-11-18 13:18:47 +01:00
itimer.c
itimers: Fix racy writes to cpu_itimer fields
2009-11-18 16:32:12 +01:00
jump_label.c
jump label: Make arch_jump_label_text_poke_early() optional
2010-10-29 12:56:13 -04:00
kallsyms.c
Revert "kernel: make /proc/kallsyms mode 400 to reduce ease of attacking"
2010-11-19 11:54:40 -08:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
mutex: Better control mutex adaptive spinning config
2009-12-03 11:50:11 +01:00
Kconfig.preempt
kexec.c
use clear_page()/copy_page() in favor of memset()/memcpy() on whole pages
2010-10-26 16:52:13 -07:00
kfifo.c
kfifo: fix scatterlist usage
2010-10-01 10:50:58 -07:00
kmod.c
Make do_execve() take a const filename pointer
2010-08-17 18:07:43 -07:00
kprobes.c
jump label: Fix error with preempt disable holding mutex
2010-10-29 12:55:55 -04:00
ksysfs.c
sysfs: add struct file* to bin_attr callbacks
2010-05-21 09:37:31 -07:00
kthread.c
kthread: implement kthread_data()
2010-06-29 10:07:09 +02:00
latencytop.c
latencytop: fix per task accumulator
2010-11-12 07:55:31 -08:00
lockdep_internals.h
lockdep: No need to disable preemption in debug atomic ops
2010-05-04 05:38:16 +02:00
lockdep_proc.c
lockstat: Make lockstat counting per cpu
2010-04-06 00:15:37 +02:00
lockdep_states.h
lockdep.c
lockdep: Check the depth of subclass
2010-10-18 18:44:26 +02:00
Makefile
Merge branch 'core-memblock-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
2010-10-21 18:52:11 -07:00
module.c
tracing: Fix module use of trace_bprintk()
2010-11-10 22:19:24 -05:00
mutex-debug.c
headers: remove sched.h from interrupt.h
2009-10-11 11:20:58 -07:00
mutex-debug.h
locking: Implement new raw_spinlock
2009-12-14 23:55:32 +01:00
mutex.c
mutex: Fix annotations to include it in kernel-locking docbook
2010-09-03 08:19:51 +02:00
mutex.h
notifier.c
sched: Use lockdep-based checking on rcu_dereference()
2010-02-25 10:34:26 +01:00
ns_cgroup.c
cgroup: notify ns_cgroup deprecated
2010-10-27 18:03:09 -07:00
nsproxy.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
padata.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
2010-08-04 15:23:14 -07:00
panic.c
lib/bug.c: add oops end marker to WARN implementation
2010-08-11 08:59:22 -07:00
params.c
param: locking for kernel parameters
2010-08-11 23:04:20 +09:30
perf_event.c
perf: Fix the software context switch counter
2010-11-26 15:00:59 +01:00
pid_namespace.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
pid.c
Add RCU check for find_task_by_vpid().
2010-08-19 17:18:02 -07:00
pm_qos_params.c
PM / PM QoS: Fix reversed min and max
2010-11-15 22:45:22 +01:00
posix-cpu-timers.c
posix-cpu-timers: Rcu_read_lock/unlock protect find_task_by_vpid call
2010-11-10 13:07:06 +01:00
posix-timers.c
posix_timer: Move copy_to_user(created_timer_id) down in timer_create()
2010-07-23 15:08:12 +02:00
printk.c
capabilities/syslog: open code cap_syslog logic to fix build failure
2010-11-15 15:40:01 -08:00
profile.c
llseek: automatically add .llseek fop
2010-10-15 15:53:27 +02:00
ptrace.c
signals: move cred_guard_mutex from task_struct to signal_struct
2010-10-27 18:03:12 -07:00
range.c
kernel/range.c: fix clean_sort_range() for the case of full array
2010-11-12 07:55:31 -08:00
rcupdate.c
Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-2.6-rcu into core/rcu
2010-10-07 09:43:11 +02:00
rcutiny_plugin.h
rcu: performance fixes to TINY_PREEMPT_RCU callback checking
2010-08-27 10:51:17 -07:00
rcutiny.c
rcu: Add a TINY_PREEMPT_RCU
2010-08-20 08:55:00 -07:00
rcutorture.c
rcu: fix sparse errors in rcutorture.c
2010-09-23 09:16:42 -07:00
rcutree_plugin.h
rcu: fix _oddness handling of verbose stall warnings
2010-09-02 16:15:30 -07:00
rcutree_trace.c
rcu: Add tracing data to support queueing models
2010-09-23 09:16:53 -07:00
rcutree.c
rcu: using ACCESS_ONCE() to observe the jiffies_stall/rnp->qsmask value
2010-10-07 10:41:06 -07:00
rcutree.h
rcu: Add tracing data to support queueing models
2010-09-23 09:16:53 -07:00
relay.c
Clean up relay_alloc_page_array() slightly by using vzalloc rather than vmalloc and memset
2010-11-05 08:21:34 -07:00
res_counter.c
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
2010-03-30 22:02:32 +09:00
resource.c
Merge branch 'linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6
2010-10-28 11:59:52 -07:00
rtmutex_common.h
rtmutex-debug.c
sched: Convert pi_lock to raw_spinlock
2009-12-14 23:55:33 +01:00
rtmutex-debug.h
rtmutex-tester.c
rtmutex-tester: make it build without BKL
2010-10-19 11:29:56 +02:00
rtmutex.c
rtmutes: Convert rtmutex.lock to raw_spinlock
2009-12-14 23:55:33 +01:00
rtmutex.h
rwsem.c
sched_clock.c
sched_clock: Add local_clock() API and improve documentation
2010-06-09 10:34:49 +02:00
sched_cpupri.c
sched: No need for bootmem special cases
2010-07-17 12:06:22 +02:00
sched_cpupri.h
sched: No need for bootmem special cases
2010-07-17 12:06:22 +02:00
sched_debug.c
sched: Use correct macro to display sched_child_runs_first in /proc/sched_debug
2010-07-21 21:46:12 +02:00
sched_fair.c
sched: Fix idle balancing
2010-11-18 13:12:33 +01:00
sched_features.h
sched: Remove irq time from available CPU power
2010-10-18 20:52:27 +02:00
sched_idletask.c
sched: Cure load average vs NO_HZ woes
2010-04-23 11:02:02 +02:00
sched_rt.c
sched: Do not account irq time to current task
2010-10-18 20:52:26 +02:00
sched_stats.h
sched_stat: Update sched_info_queue/dequeue() code comments
2010-10-24 13:29:01 +02:00
sched_stoptask.c
sched: Fix cross-sched-class wakeup preemption
2010-11-11 14:37:23 +01:00
sched.c
sched: Fix cross-sched-class wakeup preemption
2010-11-11 14:37:23 +01:00
seccomp.c
semaphore.c
signal.c
signals: annotate lock context change on ptrace_stop()
2010-10-27 18:03:12 -07:00
smp.c
Typedef SMP call function pointer
2010-10-27 17:28:36 +01:00
softirq.c
Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
2010-10-27 18:48:00 -07:00
spinlock.c
locking: Cleanup the name space completely
2009-12-14 23:55:33 +01:00
srcu.c
kernel: Remove undead ifdef CONFIG_DEBUG_LOCK_ALLOC
2010-09-23 09:14:51 -07:00
stacktrace.c
stop_machine.c
stop_machine: convert cpu notifier to return encapsulate errno value
2010-10-26 16:52:15 -07:00
sys_ni.c
powerpc: define a compat_sys_recv cond_syscall
2010-09-23 17:03:55 +10:00
sys.c
pid: make setpgid() system call use RCU read-side critical section
2010-08-31 17:00:18 -07:00
sysctl_binary.c
sysctl: don't use own implementation of hex_to_bin()
2010-05-25 08:07:05 -07:00
sysctl_check.c
sysctl: min/max bounds are optional
2010-10-15 14:42:24 -07:00
sysctl.c
kernel/sysctl.c: Fix build failure with !CONFIG_PRINTK
2010-11-16 07:56:09 -08:00
taskstats.c
taskstats: split fill_pid function
2010-10-27 18:03:17 -07:00
test_kprobes.c
kprobes: Fix selftest to clear flags field for reusing probes
2010-10-14 08:55:27 +02:00
time.c
time: Kill off CONFIG_GENERIC_TIME
2010-07-27 12:40:54 +02:00
timeconst.pl
timer.c
irq_work: Add generic hardirq context callbacks
2010-10-18 19:58:50 +02:00
tracepoint.c
jump_label: Use more consistent naming
2010-10-18 19:58:56 +02:00
tsacct.c
taskstats: use real microsecond granularity for CPU times
2010-10-27 18:03:17 -07:00
uid16.c
headers: utsname.h redux
2009-09-23 18:13:10 -07:00
up.c
user_namespace.c
user_ns: Introduce user_nsmap_uid and user_ns_map_gid.
2010-06-16 14:55:34 -07:00
user-return-notifier.c
core: Clean up user return notifers use of per_cpu
2009-12-02 10:22:59 +01:00
user.c
kernel/user.c: add lock release annotation on free_user()
2010-10-26 16:52:15 -07:00
utsname_sysctl.c
sysctl kernel: Remove binary sysctl logic
2009-11-12 02:04:55 -08:00
utsname.c
utsns: extract creeate_uts_ns()
2009-06-18 13:03:55 -07:00
wait.c
docbook: add more wait/wake/completion to device-drivers docbook
2010-10-26 17:32:41 -07:00
watchdog.c
watchdog: Fix section mismatch and potential undefined behavior.
2010-11-05 17:45:35 -07:00
workqueue_sched.h
workqueue: implement concurrency managed dynamic worker pool
2010-06-29 10:07:14 +02:00
workqueue.c
workqueues: s/ON_STACK/ONSTACK/
2010-10-26 16:52:14 -07:00