diff options
| -rw-r--r-- | Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch | 50 | ||||
| -rw-r--r-- | kernel.spec | 5 |
2 files changed, 55 insertions, 0 deletions
diff --git a/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch b/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch new file mode 100644 index 000000000..0685f06aa --- /dev/null +++ b/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch @@ -0,0 +1,50 @@ +From patchwork Tue Dec 12 19:28:38 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()" +From: Kees Cook <keescook@chromium.org> +X-Patchwork-Id: 10108209 +Message-Id: <20171212192838.GA14592@beast> +To: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Laura Abbott <labbott@redhat.com>, + =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>, + linux-kernel@vger.kernel.org +Date: Tue, 12 Dec 2017 11:28:38 -0800 + +This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375. + +SELinux runs with secureexec for all non-"noatsecure" domain transitions, +which means lots of processes end up hitting the stack hard-limit change +that was introduced in order to fix a race with prlimit(). That race fix +will need to be redesigned. + +Reported-by: Laura Abbott <labbott@redhat.com> +Reported-by: Tomáš Trnka <trnka@scm.com> +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> +--- + fs/exec.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 6be2aa0ab26f..1d6243d9f2b6 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm) + * avoid bad behavior from the prior rlimits. This has to + * happen before arch_pick_mmap_layout(), which examines + * RLIMIT_STACK, but after the point of no return to avoid +- * races from other threads changing the limits. This also +- * must be protected from races with prlimit() calls. ++ * needing to clean up the change on failure. + */ +- task_lock(current->group_leader); + if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM) + current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM; +- if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM) +- current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM; +- task_unlock(current->group_leader); + } + + arch_pick_mmap_layout(current->mm); diff --git a/kernel.spec b/kernel.spec index 765dc5b79..fdeb682c3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -632,6 +632,10 @@ Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch # rhbz 1525474 1525476 Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch +# https://patchwork.kernel.org/patch/10108209/ +# https://marc.info/?l=linux-kernel&m=151307686618795 +Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch + # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch @@ -2212,6 +2216,7 @@ fi %changelog * Wed Dec 13 2017 Jeremy Cline <jeremy@jcline.org> - Fix CVE-2017-17558 (rhbz 1525474 1525476) +- Revert exec: avoid RLIMIT_STACK races with prlimit() * Tue Dec 12 2017 Jeremy Cline <jeremy@jcline.org> - Fix CVE-2017-8824 (rhbz 1519591 1520764) |