linux

mirror of https://github.com/hardkernel/linux.git synced 2026-04-03 11:43:03 +09:00

Files

Nelson Elhage b5846f22eb do_exit(): make sure that we run with get_fs() == USER_DS

commit 33dd94ae1c upstream.

If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit().  do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.

This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing.  I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.

A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.

Let's just stick it in do_exit instead.

[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

2010-12-09 13:27:01 -08:00

gcov

gcov: fix null-pointer dereference for certain module types

2010-09-20 13:17:53 -07:00

irq

irq: Add new IRQ flag IRQF_NO_SUSPEND

2010-08-13 13:19:50 -07:00

power

Freezer: Fix buggy resume test for tasks frozen with cgroup freezer

2010-04-26 07:41:17 -07:00

time

timekeeping: Fix clock_gettime vsyscall time warp

2010-08-13 13:20:13 -07:00

trace

ring-buffer: Fix typo of time extends per page

2010-10-28 21:44:00 -07:00

.gitignore

Update kernel/.gitignore with new auto-generated files

2008-02-09 23:27:01 -08:00

acct.c

bsdacct: fix uid/gid misreporting

2009-12-18 14:03:52 -08:00

async.c

async: Fix lack of boot-time console due to insufficient synchronization

2009-06-08 12:31:53 -07:00

audit_tree.c

fix more leaks in audit_tree.c tag_chunk()

2010-01-18 10:19:50 -08:00

audit_watch.c

Audit: reorganize struct audit_watch to save 8 bytes

2009-09-24 03:50:25 -04:00

audit.c

Audit: send signal info if selinux is disabled

2009-09-24 03:50:26 -04:00

audit.h

Fix rule eviction order for AUDIT_DIR

2009-06-24 00:02:38 -04:00

auditfilter.c

Audit: clean up all op= output to include string quoting

2009-06-24 00:00:52 -04:00

auditsc.c

Audit: rearrange audit_context to save 16 bytes per struct

2009-09-24 03:50:26 -04:00

backtracetest.c

backtrace: replace timer with tasklet + completions

2008-06-27 18:09:16 +02:00

bounds.c

Add kbuild.h that contains common definitions for kbuild users

2008-04-29 08:06:29 -07:00

capability.c

[CVE-2009-0029] System call wrappers part 04

2009-01-14 14:15:19 +01:00

cgroup_freezer.c

Freezer: Fix buggy resume test for tasks frozen with cgroup freezer

2010-04-26 07:41:17 -07:00

cgroup.c

cgroups: fix 2.6.32 regression causing BUG_ON() in cgroup_diput()

2010-01-18 10:19:32 -08:00

compat.c

compat: Make compat_alloc_user_space() incorporate the access_ok()

2010-09-20 13:17:57 -07:00

configs.c

kernel/configs.c: remove useless comments

2008-10-20 08:52:34 -07:00

cpu.c

sched: _cpu_down(): Don't play with current->cpus_allowed

2010-09-20 13:18:08 -07:00

cpuset.c

sched: Make select_fallback_rq() cpuset friendly

2010-09-20 13:18:08 -07:00

cred-internals.h

CRED: Inaugurate COW credentials

2008-11-14 10:39:23 +11:00

cred.c

CRED: Fix a race in creds_are_invalid() in credentials debugging

2010-05-12 14:57:10 -07:00

delayacct.c

headers: taskstats_kern.h trim

2009-09-18 09:48:52 -07:00

dma.c

kernel/dma.c: remove a CVS keyword

2008-10-16 11:21:30 -07:00

exec_domain.c

Get rid of indirect include of fs_struct.h

2009-03-31 23:00:27 -04:00

exit.c

do_exit(): make sure that we run with get_fs() == USER_DS

2010-12-09 13:27:01 -08:00

extable.c

Merge branch 'tracing-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

2009-04-05 11:04:19 -07:00

fork.c

sched: Fix fork vs hotplug vs cpuset namespaces

2010-09-20 13:18:02 -07:00

freezer.c

sched: fix nr_uninterruptible accounting of frozen tasks really

2009-07-18 14:19:53 +02:00

futex_compat.c

futex: Fix compat_futex to be same as futex for REQUEUE_PI

2009-08-10 15:41:12 +02:00

futex.c

futex: Fix errors in nested key ref-counting

2010-11-22 10:47:31 -08:00

groups.c

kernel/groups.c: fix integer overflow in groups_search

2010-09-20 13:17:54 -07:00

hrtimer.c

hrtimer: Preserve timer state in remove_hrtimer()

2010-10-28 21:44:01 -07:00

hung_task.c

sysctl: remove "struct file *" argument of ->proc_handler

2009-09-24 07:21:04 -07:00

itimer.c

itimers: Add tracepoints for itimer

2009-08-29 14:10:07 +02:00

kallsyms.c

kallsyms: use new arch_is_kernel_text()

2009-09-23 07:39:30 -07:00

Kconfig.freezer

container freezer: implement freezer cgroup subsystem

2008-10-20 08:52:34 -07:00

Kconfig.hz

sched: fix SCHED_HRTICK dependency

2008-07-28 14:37:38 +02:00

Kconfig.preempt

rcu: provide RCU options on non-preempt architectures too

2008-12-25 09:31:28 +01:00

kexec.c

kexec: fix omitting offset in extended crashkernel syntax

2009-07-29 19:10:34 -07:00

kfifo.c

kfifo: Use "const" definitions

2009-09-19 13:13:17 -07:00

kgdb.c

sysrq, intel_fb: fix sysrq g collision

2009-05-15 07:56:24 -05:00

kmod.c

Revert "kmod: fix race in usermodehelper code"

2009-09-23 18:12:10 -07:00

kprobes.c

const: constify remaining file_operations

2009-10-01 16:11:11 -07:00

ksysfs.c

kernel/ksysfs.c:fix dependence on CONFIG_NET

2009-01-06 10:44:31 -08:00

kthread.c

cpuset: fix the problem that cpuset_mem_spread_node() returns an offline node

2010-04-01 15:58:46 -07:00

latencytop.c

latencytop: fix per task accumulator

2010-12-09 13:26:51 -08:00

lockdep_internals.h

lockdep: BFS cleanup

2009-07-24 10:53:29 +02:00

lockdep_proc.c

seq_file: constify seq_operations

2009-09-23 07:39:29 -07:00

lockdep_states.h

lockdep: move state bit definitions around

2009-02-14 23:27:59 +01:00

lockdep.c

Revert "lockdep: fix incorrect percpu usage"

2010-06-01 09:45:46 -07:00

Makefile

SLOW_WORK: Move slow_work's proc file to debugfs

2009-12-01 08:20:31 -08:00

module.c

dynamic debug: move ddebug_remove_module() down into free_module()

2010-08-02 10:20:47 -07:00

mutex-debug.c

headers: remove sched.h from interrupt.h

2009-10-11 11:20:58 -07:00

mutex-debug.h

mutex: implement adaptive spinning

2009-01-14 18:09:02 +01:00

mutex.c

mutex: Fix optimistic spinning vs. BKL

2010-07-05 11:10:31 -07:00

mutex.h

mutex: implement adaptive spinning

2009-01-14 18:09:02 +01:00

notifier.c

Merge commit 'v2.6.28-rc6' into core/debug

2008-11-26 08:22:50 +01:00

ns_cgroup.c

cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time

2009-09-24 07:20:58 -07:00

nsproxy.c

nsproxy: extract create_nsproxy()

2009-06-18 13:03:56 -07:00

panic.c

Merge branch 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

2009-10-08 12:16:35 -07:00

params.c

param: fix setting arrays of bool

2009-10-29 08:56:20 +10:30

perf_event.c

Fix racy use of anon_inode_getfd() in perf_event.c

2010-07-05 11:10:30 -07:00

pid_namespace.c

pidns: deny CLONE_PARENT|CLONE_NEWPID combination

2009-09-24 07:21:04 -07:00

pid.c

mm: also use alloc_large_system_hash() for the PID hash table

2009-09-22 07:17:38 -07:00

pm_qos_params.c

pm_qos_requirement might sleep

2008-09-02 19:21:40 -07:00

posix-cpu-timers.c

itimers: Add tracepoints for itimer

2009-08-29 14:10:07 +02:00

posix-timers.c

posix_timer: Fix error path in timer_create

2010-07-05 11:10:30 -07:00

printk.c

printk: add printk_delay to make messages readable for some scenarios

2009-09-23 07:39:28 -07:00

profile.c

profile: fix stats and data leakage

2010-05-26 14:29:18 -07:00

ptrace.c

ptrace: __ptrace_detach: do __wake_up_parent() if we reap the tracee

2009-09-24 07:20:59 -07:00

rcupdate.c

rcu: Move rcu_barrier() to rcutree

2009-10-07 08:11:20 +02:00

rcutorture.c

rcu: Clean up code to address Ingo's checkpatch feedback

2009-09-23 19:46:30 +02:00

rcutree_plugin.h

rcu: Remove inline from forward-referenced functions

2009-12-18 14:03:04 -08:00

rcutree_trace.c

rcu: Make hot-unplugged CPU relinquish its own RCU callbacks

2009-10-07 08:11:20 +02:00

rcutree.c

rcu: Fix note_new_gpnum() uses of ->gpnum

2009-12-18 14:03:01 -08:00

rcutree.h

rcu: Remove inline from forward-referenced functions

2009-12-18 14:03:04 -08:00

relay.c

const: mark struct vm_struct_operations

2009-09-27 11:39:25 -07:00

res_counter.c

memcg: some modification to softlimit under hierarchical memory reclaim.

2009-10-01 16:11:13 -07:00

resource.c

walk system ram range

2009-09-23 07:39:41 -07:00

rtmutex_common.h

rt_mutex: add proxy lock routines

2009-04-06 11:14:02 +02:00

rtmutex-debug.c

Don't operate with pid_t in rtmutex tester

2008-02-08 09:22:41 -08:00

rtmutex-debug.h

[PATCH] lockdep: better lock debugging

2006-07-03 15:27:01 -07:00

rtmutex-tester.c

sysdev: Pass the attribute to the low level sysdev show/store function

2008-07-21 21:55:02 -07:00

rtmutex.c

rtmutex: Avoid deadlock in rt_mutex_start_proxy_lock()

2009-08-06 05:50:21 +02:00

rtmutex.h

[PATCH] lockdep: better lock debugging

2006-07-03 15:27:01 -07:00

rwsem.c

sched: mark rwsem functions as __sched for wchan/profiling

2007-12-18 15:21:13 +01:00

sched_clock.c

sched: Fix cpu_clock() in NMIs, on !CONFIG_HAVE_UNSTABLE_SCHED_CLOCK

2010-01-22 15:18:30 -08:00

sched_cpupri.c

sched: Add new prio to cpupri before removing old prio

2009-08-02 14:26:09 +02:00

sched_cpupri.h

cpumask: remove cpumask_t from core

2009-03-30 22:05:17 +10:30

sched_debug.c

sched: Remove forced2_migrations stats

2010-09-20 13:17:59 -07:00

sched_fair.c

sched: Fix select_idle_sibling() logic in select_task_rq_fair()

2010-09-20 13:18:12 -07:00

sched_features.h

sched: Add new wakeup preemption mode: WAKEUP_RUNNING

2009-09-17 10:17:25 +02:00

sched_idletask.c

sched: Fix TASK_WAKING vs fork deadlock

2010-09-20 13:18:09 -07:00

sched_rt.c

sched: Fix TASK_WAKING vs fork deadlock

2010-09-20 13:18:09 -07:00

sched_stats.h

sched: remove unused fields from struct rq

2009-03-24 23:16:51 +01:00

sched.c

sched: Fix string comparison in /proc/sched_features

2010-11-22 10:47:30 -08:00

seccomp.c

x86-64: seccomp: fix 32/64 syscall hole

2009-03-02 15:41:30 -08:00

semaphore.c

semaphore: __down_common: use signal_pending_state()

2008-08-05 14:33:47 -07:00

signal.c

signals: check_kill_permission(): don't check creds if same_thread_group()

2010-07-05 11:10:56 -07:00

slow-work-debugfs.c

SLOW_WORK: Move slow_work's proc file to debugfs

2009-12-01 08:20:31 -08:00

slow-work.c

slow-work: use get_ref wrapper instead of directly calling get_ref

2010-08-10 10:20:45 -07:00

slow-work.h

SLOW_WORK: Move slow_work's proc file to debugfs

2009-12-01 08:20:31 -08:00

smp.c

cpumask: remove arch_send_call_function_ipi

2009-09-24 09:34:47 +09:30

softirq.c

softirq: add BLOCK_IOPOLL to softirq_to_name

2009-09-17 15:53:44 -04:00

softlockup.c

softlockup: Stop spurious softlockup messages due to overflow

2010-04-01 15:58:47 -07:00

spinlock.c

locking: Allow arch-inlined spinlocks

2009-08-31 18:08:50 +02:00

srcu.c

make srcu_readers_active() static

2008-02-06 10:41:02 -08:00

stacktrace.c

stacktrace: provide save_stack_trace_tsk() weak alias

2008-12-25 11:44:43 +01:00

stop_machine.c

cpumask: remove cpumask_t from core

2009-03-30 22:05:17 +10:30

sys_ni.c

Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

2009-09-24 15:13:11 -07:00

sys.c

pid: make setpgid() system call use RCU read-side critical section

2010-09-26 17:21:25 -07:00

sysctl_check.c

NET: fix oops at bootime in sysctl code

2010-02-09 04:51:02 -08:00

sysctl.c

kernel/sysctl.c: fix stable merge error in NOMMU mmap_min_addr

2010-01-18 10:19:49 -08:00

taskstats.c

genetlink: make netns aware

2009-07-12 14:03:27 -07:00

test_kprobes.c

kprobes: add tests for register_kprobes

2009-01-06 15:59:20 -08:00

time.c

time: Prevent 32 bit overflow with set_normalized_timespec()

2009-09-15 10:17:30 +02:00

timeconst.pl

Make constants in kernel/timeconst.h fixed 64 bits

2008-05-02 16:18:42 -07:00

timer.c

Merge branch 'timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

2009-09-23 09:46:15 -07:00

tracepoint.c

trivial: fix typo "to to" in multiple files

2009-09-21 15:14:55 +02:00

tsacct.c

Fix fixpoint divide exception in acct_update_integrals

2009-03-09 08:13:35 -07:00

uid16.c

headers: utsname.h redux

2009-09-23 18:13:10 -07:00

up.c

smp_call_function_single(): be slightly less stupid, fix #2

2009-01-12 16:04:37 +01:00

user_namespace.c

Fix recursive lock in free_uid()/free_user_ns()

2009-02-27 16:26:21 -08:00

user.c

uids: Prevent tear down race

2009-11-02 16:02:39 +01:00

utsname_sysctl.c

sysctl: remove "struct file *" argument of ->proc_handler

2009-09-24 07:21:04 -07:00

utsname.c

utsns: extract creeate_uts_ns()

2009-06-18 13:03:55 -07:00

wait.c

locking, sched: Give waitqueue spinlocks their own lockdep classes

2009-08-10 14:43:09 +02:00

workqueue.c

workqueue: fix race condition in schedule_on_each_cpu()

2009-11-17 17:40:33 -08:00