r2041 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Thu, 23 Dec 2004 21:52:49 -0700
Author: dilinger-guest
Date: 2004-12-23 21:52:44 -0700 (Thu, 23 Dec 2004)
New Revision: 2041
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
* [SECURITY] Fix more kernel_read() problems; results weren't being
validated properly. See
http://seclists.org/lists/bugtraq/2004/Dec/0214.html for additional
details (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-24 04:52:44 UTC (rev 2041)
@@ -55,6 +55,11 @@
* Fix Revoltec USB burner problem introduced in 2.6.8. Thanks
to Ian Gulliver. Note to other bug reporters: I accept bribes..
(Andres Salomon) (closes: #285168).
+
+ * [SECURITY] Fix more kernel_read() problems; results weren't being
+ validated properly. See
+ http://seclists.org/lists/bugtraq/2004/Dec/0214.html for additional
+ details (Andres Salomon).
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 00:13:41 -0700
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 04:52:44 UTC (rev 2041)
@@ -0,0 +1,160 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix incorrect handling of kernel_read() results.
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-fs--kernel-read-vuln--0--patch-1
+Archive: dilinger@voxel.net--2004-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Thu Dec 23 23:10:11 EST 2004
+Standard-date: 2004-12-24 04:10:11 GMT
+Modified-files: binfmt_em86.c binfmt_misc.c binfmt_script.c
+ compat.c exec.c
+New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-1
+Summary: fix bugs mentioned in advisory
+Keywords:
+
+http://seclists.org/lists/bugtraq/2004/Dec/0214.html
+
+This fixes all 6 places mentioned in the advisory. Most are in binfmt_loader
+callbacks, called from exec::do_execve; they fail w/ -EIO if the kernel_read
+succeeded, but for some reason a short read was done.
+
+
+Revision: linux-fs--kernel-read-vuln--0--patch-2
+Archive: dilinger@voxel.net--2004-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Thu Dec 23 23:33:01 EST 2004
+Standard-date: 2004-12-24 04:33:01 GMT
+Modified-files: binfmt_flat.c
+New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-2
+Summary: fix another place where kernel_read isn't sufficiently checked
+Keywords:
+
+I don't know what was up w/ this original check (checking for a res between
+-4096 and 0, non-inclusive), but it seems.. off. Better to check specifically
+for BINPRM_BUF_SIZE.
+
+--- orig/fs/binfmt_em86.c
++++ mod/fs/binfmt_em86.c
+@@ -89,8 +89,11 @@
+ bprm->file = file;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+
+ return search_binary_handler(bprm, regs);
+ }
+
+
+--- orig/fs/binfmt_flat.c
++++ mod/fs/binfmt_flat.c
+@@ -780,9 +780,11 @@
+ return res;
+
+ res = prepare_binprm(&bprm);
+-
+- if (res <= (unsigned long)-4096)
++ if (res == BINPRM_BUF_SIZE)
+ res = load_flat_file(&bprm, libs, id, NULL);
++ else if (res >= 0)
++ res = -EIO;
++
+ if (bprm.file) {
+ allow_write_access(bprm.file);
+ fput(bprm.file);
+
+
+--- orig/fs/binfmt_misc.c
++++ mod/fs/binfmt_misc.c
+@@ -195,8 +195,11 @@
+ } else
+ retval = prepare_binprm (bprm);
+
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto _error;
++ }
+
+ retval = search_binary_handler (bprm, regs);
+ if (retval < 0)
+
+
+--- orig/fs/binfmt_script.c
++++ mod/fs/binfmt_script.c
+@@ -91,8 +91,11 @@
+
+ bprm->file = file;
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+ return search_binary_handler(bprm,regs);
+ }
+
+
+
+--- orig/fs/compat.c
++++ mod/fs/compat.c
+@@ -1426,8 +1426,11 @@
+ goto out;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out;
++ }
+
+ retval = copy_strings_kernel(1, &bprm->filename, bprm);
+ if (retval < 0)
+
+
+--- orig/fs/exec.c
++++ mod/fs/exec.c
+@@ -1024,8 +1024,11 @@
+ bprm->file = file;
+ bprm->loader = loader;
+ retval = prepare_binprm(bprm);
+- if (retval<0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+ /* should call search_binary_handler recursively here,
+ but it does not matter */
+ }
+@@ -1139,8 +1142,11 @@
+ goto out;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out;
++ }
+
+ retval = copy_strings_kernel(1, &bprm->filename, bprm);
+ if (retval < 0)
+
+
+
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-24 04:52:44 UTC (rev 2041)
@@ -19,3 +19,4 @@
+ fix-ip-options-leak.dpatch
+ vt-of-death.dpatch
+ drivers-usb-storage-revoltec.dpatch
++ kernel_read-result-validation.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-24 04:52:44 UTC (rev 2041)
@@ -61,6 +61,11 @@
to Ian Gulliver. Note to other bug reporters: I accept bribes..
(Andres Salomon) (closes: #285168).
+ * [SECURITY] Fix more kernel_read() problems; results weren't being
+ validated properly. See
+ http://seclists.org/lists/bugtraq/2004/Dec/0214.html for additional
+ details (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 09:26:52 -0700
kernel-source-2.6.9 (2.6.9-3) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 04:52:44 UTC (rev 2041)
@@ -0,0 +1,160 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix incorrect handling of kernel_read() results.
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-fs--kernel-read-vuln--0--patch-1
+Archive: dilinger@voxel.net--2004-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Thu Dec 23 23:10:11 EST 2004
+Standard-date: 2004-12-24 04:10:11 GMT
+Modified-files: binfmt_em86.c binfmt_misc.c binfmt_script.c
+ compat.c exec.c
+New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-1
+Summary: fix bugs mentioned in advisory
+Keywords:
+
+http://seclists.org/lists/bugtraq/2004/Dec/0214.html
+
+This fixes all 6 places mentioned in the advisory. Most are in binfmt_loader
+callbacks, called from exec::do_execve; they fail w/ -EIO if the kernel_read
+succeeded, but for some reason a short read was done.
+
+
+Revision: linux-fs--kernel-read-vuln--0--patch-2
+Archive: dilinger@voxel.net--2004-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Thu Dec 23 23:33:01 EST 2004
+Standard-date: 2004-12-24 04:33:01 GMT
+Modified-files: binfmt_flat.c
+New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-2
+Summary: fix another place where kernel_read isn't sufficiently checked
+Keywords:
+
+I don't know what was up w/ this original check (checking for a res between
+-4096 and 0, non-inclusive), but it seems.. off. Better to check specifically
+for BINPRM_BUF_SIZE.
+
+--- orig/fs/binfmt_em86.c
++++ mod/fs/binfmt_em86.c
+@@ -89,8 +89,11 @@
+ bprm->file = file;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+
+ return search_binary_handler(bprm, regs);
+ }
+
+
+--- orig/fs/binfmt_flat.c
++++ mod/fs/binfmt_flat.c
+@@ -780,9 +780,11 @@
+ return res;
+
+ res = prepare_binprm(&bprm);
+-
+- if (res <= (unsigned long)-4096)
++ if (res == BINPRM_BUF_SIZE)
+ res = load_flat_file(&bprm, libs, id, NULL);
++ else if (res >= 0)
++ res = -EIO;
++
+ if (bprm.file) {
+ allow_write_access(bprm.file);
+ fput(bprm.file);
+
+
+--- orig/fs/binfmt_misc.c
++++ mod/fs/binfmt_misc.c
+@@ -195,8 +195,11 @@
+ } else
+ retval = prepare_binprm (bprm);
+
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto _error;
++ }
+
+ retval = search_binary_handler (bprm, regs);
+ if (retval < 0)
+
+
+--- orig/fs/binfmt_script.c
++++ mod/fs/binfmt_script.c
+@@ -91,8 +91,11 @@
+
+ bprm->file = file;
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+ return search_binary_handler(bprm,regs);
+ }
+
+
+
+--- orig/fs/compat.c
++++ mod/fs/compat.c
+@@ -1426,8 +1426,11 @@
+ goto out;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out;
++ }
+
+ retval = copy_strings_kernel(1, &bprm->filename, bprm);
+ if (retval < 0)
+
+
+--- orig/fs/exec.c
++++ mod/fs/exec.c
+@@ -1024,8 +1024,11 @@
+ bprm->file = file;
+ bprm->loader = loader;
+ retval = prepare_binprm(bprm);
+- if (retval<0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ return retval;
++ }
+ /* should call search_binary_handler recursively here,
+ but it does not matter */
+ }
+@@ -1139,8 +1142,11 @@
+ goto out;
+
+ retval = prepare_binprm(bprm);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out;
++ }
+
+ retval = copy_strings_kernel(1, &bprm->filename, bprm);
+ if (retval < 0)
+
+
+
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-24 00:44:25 UTC (rev 2040)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-24 04:52:44 UTC (rev 2041)
@@ -20,3 +20,4 @@
+ fix-ip-options-leak.dpatch
+ vt-of-death.dpatch
+ drivers-usb-storage-revoltec.dpatch
++ kernel_read-result-validation.dpatch