Fix for CVE-2018-1120 in 4.4

Fix for CVE-2018-1120 in 4.4

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

I've backported changes to fix CVE-2018-1120 (denial of service via
FUSE-backed /proc/PID/cmdline) in 4.4-stable.  See
<https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt>
for an explanation of the issue.

This was already fixed in newer stable branches, but the fix depended
on API changes made in 4.9.  The API changes are fairly straightforward
and should be low risk, so the attached patches include those API
changes.

I verified that the proof-of-concept no longer works after these
changes, and that there were no regressions in the user-copy and vm
self-tests.  I leave it to you to decide whether it's worthwhile to fix
this in 4.4.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

[-- Attachment #2: security-4.4-CVE-2018-1120.mbox --]
[-- Type: application/mbox, Size: 68200 bytes --]

Re: Fix for CVE-2018-1120 in 4.4

[Greg Kroah-Hartman]

On Thu, Dec 13, 2018 at 08:24:24PM +0000, Ben Hutchings wrote:
> I've backported changes to fix CVE-2018-1120 (denial of service via
> FUSE-backed /proc/PID/cmdline)�in 4.4-stable.  See
> <https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt>
> for an explanation of the issue.
> 
> This was already fixed in newer stable branches, but the fix depended
> on API changes made in 4.9.  The API changes are fairly straightforward
> and should be low risk, so the attached patches include those API
> changes.
> 
> I verified that the proof-of-concept no longer works after these
> changes, and that there were no regressions in the user-copy and vm
> self-tests.  I leave it to you to decide whether it's worthwhile to fix
> this in 4.4.

Wow, thanks for this, I never expected to see this happen, nice job.

All now queued up.

greg k-h