[kernel-sec-discuss] r1026 - active
dannf at alioth.debian.org
dannf at alioth.debian.org
Thu Nov 22 18:13:03 UTC 2007
Author: dannf
Date: 2007-11-22 18:13:03 +0000 (Thu, 22 Nov 2007)
New Revision: 1026
Removed:
active/CVE-2005-1265.patch
active/CVE-2007-0958.patch
Log:
these patches can be found elsewhere
Deleted: active/CVE-2005-1265.patch
===================================================================
--- active/CVE-2005-1265.patch 2007-11-22 18:10:37 UTC (rev 1025)
+++ active/CVE-2005-1265.patch 2007-11-22 18:13:03 UTC (rev 1026)
@@ -1,98 +0,0 @@
-diff -urN x/include/linux/err.h y/include/linux/err.h
---- x/include/linux/err.h 2004-08-24 17:19:18.000000000 +1000
-+++ y/include/linux/err.h 2005-05-20 18:38:34.000000000 +1000
-@@ -11,6 +11,89 @@
- * This should be a per-architecture thing, to allow different
- * error and pointer decisions.
- */
-+#define IS_ERR_VALUE(x) ((x) > (unsigned long)-1000L)
-+
- static inline void *ERR_PTR(long error)
- {
- return (void *) error;
-@@ -23,7 +25,79 @@
-
- static inline long IS_ERR(const void *ptr)
- {
-- return (unsigned long)ptr > (unsigned long)-1000L;
-+ return IS_ERR_VALUE((unsigned long)ptr);
- }
-
- #endif /* _LINUX_ERR_H */
-diff -urN x/mm/mmap.c y/mm/mmap.c
---- x/mm/mmap.c 2005-05-19 20:54:12.000000000 +1000
-+++ y/mm/mmap.c 2005-05-20 18:39:23.000000000 +1000
-@@ -1076,37 +1076,40 @@
- get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
- unsigned long pgoff, unsigned long flags)
- {
-- if (flags & MAP_FIXED) {
-- unsigned long ret;
-+ unsigned long ret;
-
-- if (addr > TASK_SIZE - len)
-- return -ENOMEM;
-- if (addr & ~PAGE_MASK)
-- return -EINVAL;
-- if (file && is_file_hugepages(file)) {
-- /*
-- * Check if the given range is hugepage aligned, and
-- * can be made suitable for hugepages.
-- */
-- ret = prepare_hugepage_range(addr, len);
-- } else {
-- /*
-- * Ensure that a normal request is not falling in a
-- * reserved hugepage range. For some archs like IA-64,
-- * there is a separate region for hugepages.
-- */
-- ret = is_hugepage_only_range(addr, len);
-- }
-- if (ret)
-- return -EINVAL;
-- return addr;
-- }
-+ if (!(flags & MAP_FIXED)) {
-+ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
-
-- if (file && file->f_op && file->f_op->get_unmapped_area)
-- return file->f_op->get_unmapped_area(file, addr, len,
-- pgoff, flags);
-+ get_area = arch_get_unmapped_area;
-+ if (file && file->f_op && file->f_op->get_unmapped_area)
-+ get_area = file->f_op->get_unmapped_area;
-+ addr = get_area(file, addr, len, pgoff, flags);
-+ if (IS_ERR_VALUE(addr))
-+ return addr;
-+ }
-
-- return arch_get_unmapped_area(file, addr, len, pgoff, flags);
-+ if (addr > TASK_SIZE - len)
-+ return -ENOMEM;
-+ if (addr & ~PAGE_MASK)
-+ return -EINVAL;
-+ if (file && is_file_hugepages(file)) {
-+ /*
-+ * Check if the given range is hugepage aligned, and
-+ * can be made suitable for hugepages.
-+ */
-+ ret = prepare_hugepage_range(addr, len);
-+ } else {
-+ /*
-+ * Ensure that a normal request is not falling in a
-+ * reserved hugepage range. For some archs like IA-64,
-+ * there is a separate region for hugepages.
-+ */
-+ ret = is_hugepage_only_range(addr, len);
-+ }
-+ if (ret)
-+ return -EINVAL;
-+ return addr;
- }
-
- EXPORT_SYMBOL(get_unmapped_area);
-
-
-
-
-
Deleted: active/CVE-2007-0958.patch
===================================================================
--- active/CVE-2007-0958.patch 2007-11-22 18:10:37 UTC (rev 1025)
+++ active/CVE-2007-0958.patch 2007-11-22 18:13:03 UTC (rev 1026)
@@ -1,67 +0,0 @@
-commit 1fb844961818ce94e782acf6a96b92dc2303553b
-Author: Alexey Dobriyan <adobriyan at openvz.org>
-Date: Fri Jan 26 00:57:16 2007 -0800
-
- [PATCH] core-dumping unreadable binaries via PT_INTERP
-
- Proposed patch to fix #5 in
- http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
- aka
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
-
- To reproduce, do
- * grab poc at the end of advisory.
- * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
- where first "4096" is something equal to or greater than 4096.
- * ./poc /usr/bin/sudo && ls -l
-
- Here I get with 2.6.20-rc5:
-
- -rw------- 1 ad ad 102400 2007-01-15 19:17 core
- ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
-
- Check for MAY_READ like binfmt_misc.c does.
-
- Signed-off-by: Alexey Dobriyan <adobriyan at openvz.org>
- Signed-off-by: Andrew Morton <akpm at osdl.org>
- Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-
-diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 90461f4..669dbe5 100644
---- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
- retval = PTR_ERR(interpreter);
- if (IS_ERR(interpreter))
- goto out_free_interp;
-+
-+ /*
-+ * If the binary is not readable then enforce
-+ * mm->dumpable = 0 regardless of the interpreter's
-+ * permissions.
-+ */
-+ if (file_permission(interpreter, MAY_READ) < 0)
-+ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
-+
- retval = kernel_read(interpreter, 0, bprm->buf,
- BINPRM_BUF_SIZE);
- if (retval != BINPRM_BUF_SIZE) {
-diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
-index 6e6d456..a4d933a 100644
---- a/fs/binfmt_elf_fdpic.c
-+++ b/fs/binfmt_elf_fdpic.c
-@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
- goto error;
- }
-
-+ /*
-+ * If the binary is not readable then enforce
-+ * mm->dumpable = 0 regardless of the interpreter's
-+ * permissions.
-+ */
-+ if (file_permission(interpreter, MAY_READ) < 0)
-+ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
-+
- retval = kernel_read(interpreter, 0, bprm->buf,
- BINPRM_BUF_SIZE);
- if (retval < 0)
More information about the kernel-sec-discuss
mailing list