r1993 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf@haydn.debian.org
Mon, 13 Dec 2004 21:14:47 -0700 

Author: dannf
Date: 2004-12-13 21:14:24 -0700 (Mon, 13 Dec 2004)
New Revision: 1993

Added:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/114-binfmt_aout-CAN-2004-1074.diff
Modified:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7
Log:
add fix for CAN-2004-1074 to 2.4.27

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2004-12-14 03:29:10 UTC (rev 1992)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2004-12-14 04:14:24 UTC (rev 1993)
@@ -2,8 +2,10 @@
 
   * Security: Add missing serialization to unix_dgram_recvmsg() which otherwise
     could lead to elevated previleges (CAN-2004-1068) (dann frazier)
+  * Security: Fix a potential oops using a malformed a.out binary
+    (CAN-2004-1074) (dann frazier)
 
- -- dann frazier <dannf@debian.org>  Mon, 13 Dec 2004 20:24:20 -0700
+ -- dann frazier <dannf@debian.org>  Mon, 13 Dec 2004 21:07:48 -0700
 
 kernel-source-2.4.27 (2.4.27-6) unstable; urgency=low
 

Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/114-binfmt_aout-CAN-2004-1074.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/114-binfmt_aout-CAN-2004-1074.diff	2004-12-14 03:29:10 UTC (rev 1992)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/114-binfmt_aout-CAN-2004-1074.diff	2004-12-14 04:14:24 UTC (rev 1993)
@@ -0,0 +1,71 @@
+# origin: backport from 2.6
+# inclusion: not yet in 2.4 bk, but it is expected to be added
+# description: [SECURITY] a.out oops fix
+# revision date: 2004.11.12
+
+- Don't insert overlapping region in setup_arg_pages().
+- Error check on do_brk() when setting up bss in a.out().
+
+===== fs/exec.c 1.35 vs edited =====
+--- 1.35/fs/exec.c	2004-04-15 10:44:45 -07:00
++++ edited/fs/exec.c	2004-11-12 12:02:40 -08:00
+@@ -342,6 +342,7 @@ int setup_arg_pages(struct linux_binprm 
+ 	
+ 	down_write(&current->mm->mmap_sem);
+ 	{
++		struct vm_area_struct *vma;
+ 		mpnt->vm_mm = current->mm;
+ 		mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ 		mpnt->vm_end = STACK_TOP;
+@@ -351,6 +352,12 @@ int setup_arg_pages(struct linux_binprm 
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
++		vma = find_vma(current->mm, mpnt->vm_start);
++		if (vma) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return -ENOMEM;
++		}
+ 		insert_vm_struct(current->mm, mpnt);
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+===== fs/binfmt_aout.c 1.8 vs edited =====
+--- 1.8/fs/binfmt_aout.c	2002-02-04 23:54:04 -08:00
++++ edited/fs/binfmt_aout.c	2004-11-12 11:55:14 -08:00
+@@ -39,13 +39,18 @@ static struct linux_binfmt aout_format =
+ 	NULL, THIS_MODULE, load_aout_binary, load_aout_library, aout_core_dump, PAGE_SIZE
+ };
+ 
+-static void set_brk(unsigned long start, unsigned long end)
++#define BAD_ADDR(x)	((unsigned long)(x) >= TASK_SIZE)
++
++static int set_brk(unsigned long start, unsigned long end)
+ {
+ 	start = PAGE_ALIGN(start);
+ 	end = PAGE_ALIGN(end);
+-	if (end <= start)
+-		return;
+-	do_brk(start, end - start);
++	if (end > start) {
++		unsigned long addr = do_brk(start, end - start);
++		if (BAD_ADDR(addr))
++			return addr;
++	}
++	return 0;
+ }
+ 
+ /*
+@@ -405,7 +410,11 @@ static int load_aout_binary(struct linux
+ beyond_if:
+ 	set_binfmt(&aout_format);
+ 
+-	set_brk(current->mm->start_brk, current->mm->brk);
++	retval = set_brk(current->mm->start_brk, current->mm->brk);
++	if (retval < 0) {
++		send_sig(SIGKILL, current, 0);
++		return retval;
++	}
+ 
+ 	retval = setup_arg_pages(bprm); 
+ 	if (retval < 0) { 

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7	2004-12-14 03:29:10 UTC (rev 1992)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7	2004-12-14 04:14:24 UTC (rev 1993)
@@ -1 +1,2 @@
 + 113-unix-serialization.diff
++ 114-binfmt_aout-CAN-2004-1074.diff