oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel futex local privilege escalation (CVE-2014-3153)

From: rf () q-leap de
Date: Fri, 6 Jun 2014 16:24:23 +0200
"Greg" == Greg KH <greg () kroah com> writes:


    Greg> On Fri, Jun 06, 2014 at 11:11:42AM +0200, rf () q-leap de wrote:
    >> >>>>> "Thomas" == Thomas Gleixner <tglx () linutronix de> writes:
    >>
    >> Hi Thomas,
    >>
    >> >> On Thu, Jun 05, 2014 at 11:38:27PM -0400, Rich Felker wrote:
    >> >> > On Thu, Jun 05, 2014 at 06:45:45PM +0400, Solar Designer
    >> >> > wrote:
    >> >> > > I've attached patches by Thomas Gleixner (four e-mails, in
    >> >> > > mbox format), as well as back-ports of those by John
    >> >> > > Johansen of Canonical, who wrote:
    >> >> >
    >> >> > Maybe I'm missing something, but I can't find any statement
    >> >> > of what version these patches are intended to apply cleanly
    >> >> > to. They don't apply to latest stable.
    >> >>
    >> >> Thomas - can you answer Rich's question?  This is about
    >> >> patches you sent on June 3 to linux-distros, which Kees then
    >> >> saved into an mbox file.
    >>
    Thomas> They should apply cleanly, if all stable tagged futex
    Thomas> patches before that are applied.
    >>
    >> could you please clarify whether
    >>
    >> f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching
    >> to kernel threads 866293ee54227584ffcb4a42f69c1f365974ba7f futex:
    >> Add another early deadlock detection check

    Greg> As people keep asking me this, I'll respond with, "why
    Greg> wouldn't you apply them"?

    Greg> They are going to be in the next kernel stable releases, along
    Greg> with the other 4 patches, so I recommend them for your custom
    Greg> kernels as well.

Thanks for the reply. I did read your earlier message. To answer your
question: I only apply patches that are absolutely necessary to fix a
known problem. Want to make sure the changed stuff doesn't lead to a
regression somewhere else. Futex stuff is a central component in the
kernel ... I can't judge about any possible side effects from reading
the code ... and this kernel is going on a number of production 
clusters.

Anyway, I've applied all the (2+4) patches to our 3.12. 
"futex: Make lookup_pi_state more robust" needed slight adjustment, but
nothing serious. I'll go and test now. If someone wants the patch set,
let me know. Then I can post it to the list.

Roland

-------
http://www.q-leap.com / http://qlustar.com
          --- HPC / Storage / Cloud Linux Cluster OS ---
Previous By Date Next
Previous By Thread Next

Current thread: