From 9036f48254be36e433ed3bb01f4cf951ff65d98c Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 13 Dec 2017 13:55:37 -0500 Subject: [PATCH] Revert exec: avoid RLIMIT_STACK races with prlimit() --- ...void-RLIMIT_STACK-races-with-prlimit.patch | 50 +++++++++++++++++++ kernel.spec | 5 ++ 2 files changed, 55 insertions(+) create mode 100644 Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch diff --git a/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch b/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch new file mode 100644 index 000000000..0685f06aa --- /dev/null +++ b/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch @@ -0,0 +1,50 @@ +From patchwork Tue Dec 12 19:28:38 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()" +From: Kees Cook +X-Patchwork-Id: 10108209 +Message-Id: <20171212192838.GA14592@beast> +To: Linus Torvalds +Cc: Laura Abbott , + =?utf-8?B?VG9tw6HFoQ==?= Trnka , + linux-kernel@vger.kernel.org +Date: Tue, 12 Dec 2017 11:28:38 -0800 + +This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375. + +SELinux runs with secureexec for all non-"noatsecure" domain transitions, +which means lots of processes end up hitting the stack hard-limit change +that was introduced in order to fix a race with prlimit(). That race fix +will need to be redesigned. + +Reported-by: Laura Abbott +Reported-by: Tomáš Trnka +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +--- + fs/exec.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 6be2aa0ab26f..1d6243d9f2b6 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm) + * avoid bad behavior from the prior rlimits. This has to + * happen before arch_pick_mmap_layout(), which examines + * RLIMIT_STACK, but after the point of no return to avoid +- * races from other threads changing the limits. This also +- * must be protected from races with prlimit() calls. ++ * needing to clean up the change on failure. + */ +- task_lock(current->group_leader); + if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM) + current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM; +- if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM) +- current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM; +- task_unlock(current->group_leader); + } + + arch_pick_mmap_layout(current->mm); diff --git a/kernel.spec b/kernel.spec index 3269a9b48..90d0f68e3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -621,6 +621,10 @@ Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch # rhbz 1525474 1525476 Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch +# https://patchwork.kernel.org/patch/10108209/ +# https://marc.info/?l=linux-kernel&m=151307686618795 +Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch + # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch @@ -2221,6 +2225,7 @@ fi %changelog * Wed Dec 13 2017 Jeremy Cline - Fix CVE-2017-17558 (rhbz 1525474 1525476) +- Revert exec: avoid RLIMIT_STACK races with prlimit() * Tue Dec 12 2017 Jeremy Cline - Fix CVE-2017-8824 (rhbz 1519591 1520764)