r1979 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Mon, 06 Dec 2004 09:34:34 -0700
Author: dilinger-guest
Date: 2004-12-06 09:33:28 -0700 (Mon, 06 Dec 2004)
New Revision: 1979
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
* [SECURITY] Fix buffer overrun in x86_64's sys32_ni_syscall
(Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-06 16:33:28 UTC (rev 1979)
@@ -16,6 +16,9 @@
* Delay registration of HCDP described UARTs, fixing the PDH console
on HP rx1600s (dann frazier).
+ * [SECURITY] Fix buffer overrun in x86_64's sys32_ni_syscall
+ (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 00:13:41 -0700
kernel-source-2.6.8 (2.6.8-10) unstable; urgency=high
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch 2004-12-06 16:33:28 UTC (rev 1979)
@@ -0,0 +1,70 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+## DP: Patch author: Jeremy Fitzhardinge <jeremy@goop.org>, Chris Wright <chrisw@osdl.org>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/01 17:08:01-08:00 jeremy@goop.org
+# [PATCH] Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+#
+# With Chris Wright <chrisw@osdl.org>
+#
+# struct task_struct.comm is defined to be 16 chars, but
+# arch/x86_64/sys_ia32.c:sys32_ni_syscall() and sys32_vm86_warning() copy it
+# into a static 8 byte buffer, which will surely cause problems. This patch
+# makes lastcomm[] the right size, and makes sure it can't be overrun. Since
+# the code also goes to the effort of getting a local copy of current in "me",
+# we may as well use it for printing the message.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/x86_64/ia32/sys_ia32.c
+# 2004/12/01 00:13:46-08:00 jeremy@goop.org +9 -8
+# Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+#
+diff -Nru a/arch/x86_64/ia32/sys_ia32.c b/arch/x86_64/ia32/sys_ia32.c
+--- a/arch/x86_64/ia32/sys_ia32.c 2004-12-06 08:23:41 -08:00
++++ b/arch/x86_64/ia32/sys_ia32.c 2004-12-06 08:23:41 -08:00
+@@ -525,11 +525,12 @@
+ int sys32_ni_syscall(int call)
+ {
+ struct task_struct *me = current;
+- static char lastcomm[8];
+- if (strcmp(lastcomm, me->comm)) {
+- printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
+- current->comm);
+- strcpy(lastcomm, me->comm);
++ static char lastcomm[sizeof(me->comm)];
++
++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
++ printk(KERN_INFO "IA32 syscall %d from %s not implemented\n",
++ call, me->comm);
++ strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ }
+ return -ENOSYS;
+ }
+@@ -1125,11 +1126,11 @@
+ long sys32_vm86_warning(void)
+ {
+ struct task_struct *me = current;
+- static char lastcomm[8];
+- if (strcmp(lastcomm, me->comm)) {
++ static char lastcomm[sizeof(me->comm)];
++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+ printk(KERN_INFO "%s: vm86 mode not supported on 64 bit kernel\n",
+ me->comm);
+- strcpy(lastcomm, me->comm);
++ strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ }
+ return -ENOSYS;
+ }
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-06 16:33:28 UTC (rev 1979)
@@ -3,3 +3,4 @@
+ mark-vmio.dpatch
+ unix-serialize-dgram.dpatch
+ drivers-firmware-pcdp-register.dpatch
++ arch-x86_64-sys32_ni-overflow.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-06 16:33:28 UTC (rev 1979)
@@ -21,6 +21,9 @@
* Delay registration of HCDP described UARTs, fixing the PDH console
on HP rx1600s (merged patch from k-s 2.6.8) (dann frazier).
+ * [SECURITY] Fix buffer overrun in x86_64's sys32_ni_syscall
+ (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 09:26:52 -0700
kernel-source-2.6.9 (2.6.9-3) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/arch-x86_64-sys32_ni-overflow.dpatch 2004-12-06 16:33:28 UTC (rev 1979)
@@ -0,0 +1,70 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+## DP: Patch author: Jeremy Fitzhardinge <jeremy@goop.org>, Chris Wright <chrisw@osdl.org>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/01 17:08:01-08:00 jeremy@goop.org
+# [PATCH] Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+#
+# With Chris Wright <chrisw@osdl.org>
+#
+# struct task_struct.comm is defined to be 16 chars, but
+# arch/x86_64/sys_ia32.c:sys32_ni_syscall() and sys32_vm86_warning() copy it
+# into a static 8 byte buffer, which will surely cause problems. This patch
+# makes lastcomm[] the right size, and makes sure it can't be overrun. Since
+# the code also goes to the effort of getting a local copy of current in "me",
+# we may as well use it for printing the message.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/x86_64/ia32/sys_ia32.c
+# 2004/12/01 00:13:46-08:00 jeremy@goop.org +9 -8
+# Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
+#
+diff -Nru a/arch/x86_64/ia32/sys_ia32.c b/arch/x86_64/ia32/sys_ia32.c
+--- a/arch/x86_64/ia32/sys_ia32.c 2004-12-06 08:23:41 -08:00
++++ b/arch/x86_64/ia32/sys_ia32.c 2004-12-06 08:23:41 -08:00
+@@ -525,11 +525,12 @@
+ int sys32_ni_syscall(int call)
+ {
+ struct task_struct *me = current;
+- static char lastcomm[8];
+- if (strcmp(lastcomm, me->comm)) {
+- printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
+- current->comm);
+- strcpy(lastcomm, me->comm);
++ static char lastcomm[sizeof(me->comm)];
++
++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
++ printk(KERN_INFO "IA32 syscall %d from %s not implemented\n",
++ call, me->comm);
++ strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ }
+ return -ENOSYS;
+ }
+@@ -1125,11 +1126,11 @@
+ long sys32_vm86_warning(void)
+ {
+ struct task_struct *me = current;
+- static char lastcomm[8];
+- if (strcmp(lastcomm, me->comm)) {
++ static char lastcomm[sizeof(me->comm)];
++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+ printk(KERN_INFO "%s: vm86 mode not supported on 64 bit kernel\n",
+ me->comm);
+- strcpy(lastcomm, me->comm);
++ strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ }
+ return -ENOSYS;
+ }
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-06 11:27:04 UTC (rev 1978)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-06 16:33:28 UTC (rev 1979)
@@ -4,3 +4,4 @@
+ mark-vmio.dpatch
+ unix-serialize-dgram.dpatch
+ drivers-firmware-pcdp-register.dpatch
++ arch-x86_64-sys32_ni-overflow.dpatch