r2053 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Fri, 24 Dec 2004 16:40:50 -0700
Author: dilinger-guest
Date: 2004-12-24 16:40:33 -0700 (Fri, 24 Dec 2004)
New Revision: 2053
Removed:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
drop kernel_read patch; i'm not convinced the advisory is valid, and i can't
think of a way to exploit it.
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-24 23:40:33 UTC (rev 2053)
@@ -56,11 +56,6 @@
to Ian Gulliver. Note to other bug reporters: I accept bribes..
(Andres Salomon) (closes: #285168).
- * [SECURITY] Fix more kernel_read() problems; results weren't being
- validated properly. See
- http://seclists.org/lists/bugtraq/2004/Dec/0214.html for additional
- details (Andres Salomon).
-
* [x86_64] Fix nasty little signal bug, where orig_rax was assumed
to be unsigned. Andi Kleen assures me it's not exploitable, but
better to be safe than sorry (Andres Salomon).
Deleted: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 23:40:33 UTC (rev 2053)
@@ -1,160 +0,0 @@
-#! /bin/sh -e
-## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Description: Fix incorrect handling of kernel_read() results.
-## DP: Patch author: Andres Salomon <dilinger@voxel.net>
-## DP: Upstream status: not yet submitted
-
-. $(dirname $0)/DPATCH
-
-@DPATCH@
-Revision: linux-fs--kernel-read-vuln--0--patch-1
-Archive: dilinger@voxel.net--2004-public
-Creator: Andres Salomon <dilinger@voxel.net>
-Date: Thu Dec 23 23:10:11 EST 2004
-Standard-date: 2004-12-24 04:10:11 GMT
-Modified-files: binfmt_em86.c binfmt_misc.c binfmt_script.c
- compat.c exec.c
-New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-1
-Summary: fix bugs mentioned in advisory
-Keywords:
-
-http://seclists.org/lists/bugtraq/2004/Dec/0214.html
-
-This fixes all 6 places mentioned in the advisory. Most are in binfmt_loader
-callbacks, called from exec::do_execve; they fail w/ -EIO if the kernel_read
-succeeded, but for some reason a short read was done.
-
-
-Revision: linux-fs--kernel-read-vuln--0--patch-2
-Archive: dilinger@voxel.net--2004-public
-Creator: Andres Salomon <dilinger@voxel.net>
-Date: Thu Dec 23 23:33:01 EST 2004
-Standard-date: 2004-12-24 04:33:01 GMT
-Modified-files: binfmt_flat.c
-New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-2
-Summary: fix another place where kernel_read isn't sufficiently checked
-Keywords:
-
-I don't know what was up w/ this original check (checking for a res between
--4096 and 0, non-inclusive), but it seems.. off. Better to check specifically
-for BINPRM_BUF_SIZE.
-
---- orig/fs/binfmt_em86.c
-+++ mod/fs/binfmt_em86.c
-@@ -89,8 +89,11 @@
- bprm->file = file;
-
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
-
- return search_binary_handler(bprm, regs);
- }
-
-
---- orig/fs/binfmt_flat.c
-+++ mod/fs/binfmt_flat.c
-@@ -780,9 +780,11 @@
- return res;
-
- res = prepare_binprm(&bprm);
--
-- if (res <= (unsigned long)-4096)
-+ if (res == BINPRM_BUF_SIZE)
- res = load_flat_file(&bprm, libs, id, NULL);
-+ else if (res >= 0)
-+ res = -EIO;
-+
- if (bprm.file) {
- allow_write_access(bprm.file);
- fput(bprm.file);
-
-
---- orig/fs/binfmt_misc.c
-+++ mod/fs/binfmt_misc.c
-@@ -195,8 +195,11 @@
- } else
- retval = prepare_binprm (bprm);
-
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto _error;
-+ }
-
- retval = search_binary_handler (bprm, regs);
- if (retval < 0)
-
-
---- orig/fs/binfmt_script.c
-+++ mod/fs/binfmt_script.c
-@@ -91,8 +91,11 @@
-
- bprm->file = file;
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
- return search_binary_handler(bprm,regs);
- }
-
-
-
---- orig/fs/compat.c
-+++ mod/fs/compat.c
-@@ -1426,8 +1426,11 @@
- goto out;
-
- retval = prepare_binprm(&bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto out;
-+ }
-
- retval = copy_strings_kernel(1, &bprm->filename, &bprm);
- if (retval < 0)
-
-
---- orig/fs/exec.c
-+++ mod/fs/exec.c
-@@ -1024,8 +1024,11 @@
- bprm->file = file;
- bprm->loader = loader;
- retval = prepare_binprm(bprm);
-- if (retval<0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
- /* should call search_binary_handler recursively here,
- but it does not matter */
- }
-@@ -1139,8 +1142,11 @@
- goto out;
-
- retval = prepare_binprm(&bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto out;
-+ }
-
- retval = copy_strings_kernel(1, &bprm->filename, &bprm);
- if (retval < 0)
-
-
-
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-24 23:40:33 UTC (rev 2053)
@@ -19,7 +19,6 @@
+ fix-ip-options-leak.dpatch
+ vt-of-death.dpatch
+ drivers-usb-storage-revoltec.dpatch
-+ kernel_read-result-validation.dpatch
+ arch-x86_64-signal-bug.dpatch
+ powerpc-970fx-support.dpatch
+ powerpc-g5-thermal-management-update.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-24 23:40:33 UTC (rev 2053)
@@ -61,11 +61,6 @@
to Ian Gulliver. Note to other bug reporters: I accept bribes..
(Andres Salomon) (closes: #285168).
- * [SECURITY] Fix more kernel_read() problems; results weren't being
- validated properly. See
- http://seclists.org/lists/bugtraq/2004/Dec/0214.html for additional
- details (Andres Salomon).
-
* [x86_64] Fix nasty little signal bug, where orig_rax was assumed
to be unsigned. Andi Kleen assures me it's not exploitable, but
better to be safe than sorry (Andres Salomon).
Deleted: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/kernel_read-result-validation.dpatch 2004-12-24 23:40:33 UTC (rev 2053)
@@ -1,160 +0,0 @@
-#! /bin/sh -e
-## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Description: Fix incorrect handling of kernel_read() results.
-## DP: Patch author: Andres Salomon <dilinger@voxel.net>
-## DP: Upstream status: not yet submitted
-
-. $(dirname $0)/DPATCH
-
-@DPATCH@
-Revision: linux-fs--kernel-read-vuln--0--patch-1
-Archive: dilinger@voxel.net--2004-public
-Creator: Andres Salomon <dilinger@voxel.net>
-Date: Thu Dec 23 23:10:11 EST 2004
-Standard-date: 2004-12-24 04:10:11 GMT
-Modified-files: binfmt_em86.c binfmt_misc.c binfmt_script.c
- compat.c exec.c
-New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-1
-Summary: fix bugs mentioned in advisory
-Keywords:
-
-http://seclists.org/lists/bugtraq/2004/Dec/0214.html
-
-This fixes all 6 places mentioned in the advisory. Most are in binfmt_loader
-callbacks, called from exec::do_execve; they fail w/ -EIO if the kernel_read
-succeeded, but for some reason a short read was done.
-
-
-Revision: linux-fs--kernel-read-vuln--0--patch-2
-Archive: dilinger@voxel.net--2004-public
-Creator: Andres Salomon <dilinger@voxel.net>
-Date: Thu Dec 23 23:33:01 EST 2004
-Standard-date: 2004-12-24 04:33:01 GMT
-Modified-files: binfmt_flat.c
-New-patches: dilinger@voxel.net--2004-public/linux-fs--kernel-read-vuln--0--patch-2
-Summary: fix another place where kernel_read isn't sufficiently checked
-Keywords:
-
-I don't know what was up w/ this original check (checking for a res between
--4096 and 0, non-inclusive), but it seems.. off. Better to check specifically
-for BINPRM_BUF_SIZE.
-
---- orig/fs/binfmt_em86.c
-+++ mod/fs/binfmt_em86.c
-@@ -89,8 +89,11 @@
- bprm->file = file;
-
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
-
- return search_binary_handler(bprm, regs);
- }
-
-
---- orig/fs/binfmt_flat.c
-+++ mod/fs/binfmt_flat.c
-@@ -780,9 +780,11 @@
- return res;
-
- res = prepare_binprm(&bprm);
--
-- if (res <= (unsigned long)-4096)
-+ if (res == BINPRM_BUF_SIZE)
- res = load_flat_file(&bprm, libs, id, NULL);
-+ else if (res >= 0)
-+ res = -EIO;
-+
- if (bprm.file) {
- allow_write_access(bprm.file);
- fput(bprm.file);
-
-
---- orig/fs/binfmt_misc.c
-+++ mod/fs/binfmt_misc.c
-@@ -195,8 +195,11 @@
- } else
- retval = prepare_binprm (bprm);
-
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto _error;
-+ }
-
- retval = search_binary_handler (bprm, regs);
- if (retval < 0)
-
-
---- orig/fs/binfmt_script.c
-+++ mod/fs/binfmt_script.c
-@@ -91,8 +91,11 @@
-
- bprm->file = file;
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
- return search_binary_handler(bprm,regs);
- }
-
-
-
---- orig/fs/compat.c
-+++ mod/fs/compat.c
-@@ -1426,8 +1426,11 @@
- goto out;
-
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto out;
-+ }
-
- retval = copy_strings_kernel(1, &bprm->filename, bprm);
- if (retval < 0)
-
-
---- orig/fs/exec.c
-+++ mod/fs/exec.c
-@@ -1024,8 +1024,11 @@
- bprm->file = file;
- bprm->loader = loader;
- retval = prepare_binprm(bprm);
-- if (retval<0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- return retval;
-+ }
- /* should call search_binary_handler recursively here,
- but it does not matter */
- }
-@@ -1139,8 +1142,11 @@
- goto out;
-
- retval = prepare_binprm(bprm);
-- if (retval < 0)
-+ if (retval != BINPRM_BUF_SIZE) {
-+ if (retval >= 0)
-+ retval = -EIO;
- goto out;
-+ }
-
- retval = copy_strings_kernel(1, &bprm->filename, bprm);
- if (retval < 0)
-
-
-
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-24 22:37:04 UTC (rev 2052)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-24 23:40:33 UTC (rev 2053)
@@ -20,5 +20,4 @@
+ fix-ip-options-leak.dpatch
+ vt-of-death.dpatch
+ drivers-usb-storage-revoltec.dpatch
-+ kernel_read-result-validation.dpatch
+ arch-x86_64-signal-bug.dpatch