r1901 - in trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian: . patches patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Wed, 24 Nov 2004 22:27:52 -0700
Author: dilinger-guest
Date: 2004-11-24 22:26:53 -0700 (Wed, 24 Nov 2004)
New Revision: 1901
Added:
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/aout-loader-fixes.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/elf-loader-fixes-the-return.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-3
Log:
* [SECURITY] Further binfmt_elf fixes, and binfmt_aout fixes as well
(Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-11-25 05:22:14 UTC (rev 1900)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-11-25 05:26:53 UTC (rev 1901)
@@ -3,6 +3,9 @@
* Include dm_io-ENOMEM-goof patch that was included in final 2.6.8-8
(Andres Salomon).
+ * [SECURITY] Further binfmt_elf fixes, and binfmt_aout fixes as well
+ (Andres Salomon).
+
-- Andres Salomon <dilinger@voxel.net> Thu, 25 Nov 2004 00:20:47 -0500
kernel-source-2.6.9 (2.6.9-2) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/aout-loader-fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/aout-loader-fixes.dpatch 2004-11-25 05:22:14 UTC (rev 1900)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/aout-loader-fixes.dpatch 2004-11-25 05:26:53 UTC (rev 1901)
@@ -0,0 +1,69 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] a.out: error check on set_brk
+## DP: Patch author: Chris Wright <chrisw@osdl.org>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/16 17:39:02-08:00 chrisw@osdl.org
+# [PATCH] a.out: error check on set_brk
+#
+# It's possible for do_brk() to fail during set_brk() when exec'ing and
+# a.out. This was noted with Florian's a.out binary and overcommit set to
+# 0.
+#
+# Capture this error and terminate properly.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/binfmt_aout.c
+# 2004/11/11 22:28:58-08:00 chrisw@osdl.org +14 -5
+# a.out: error check on set_brk
+#
+diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
+--- a/fs/binfmt_aout.c 2004-11-21 11:38:03 -08:00
++++ b/fs/binfmt_aout.c 2004-11-21 11:38:03 -08:00
+@@ -43,13 +43,18 @@
+ .min_coredump = PAGE_SIZE
+ };
+
+-static void set_brk(unsigned long start, unsigned long end)
++#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
++
++static int set_brk(unsigned long start, unsigned long end)
+ {
+ start = PAGE_ALIGN(start);
+ end = PAGE_ALIGN(end);
+- if (end <= start)
+- return;
+- do_brk(start, end - start);
++ if (end > start) {
++ unsigned long addr = do_brk(start, end - start);
++ if (BAD_ADDR(addr))
++ return addr;
++ }
++ return 0;
+ }
+
+ /*
+@@ -413,7 +418,11 @@
+ beyond_if:
+ set_binfmt(&aout_format);
+
+- set_brk(current->mm->start_brk, current->mm->brk);
++ retval = set_brk(current->mm->start_brk, current->mm->brk);
++ if (retval < 0) {
++ send_sig(SIGKILL, current, 0);
++ return retval;
++ }
+
+ retval = setup_arg_pages(bprm, EXSTACK_DEFAULT);
+ if (retval < 0) {
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/elf-loader-fixes-the-return.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/elf-loader-fixes-the-return.dpatch 2004-11-25 05:22:14 UTC (rev 1900)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/elf-loader-fixes-the-return.dpatch 2004-11-25 05:26:53 UTC (rev 1901)
@@ -0,0 +1,53 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+## DP: Patch author: Jakub Jelinek <jakub@redhat.com>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/16 17:38:30-08:00 chrisw@osdl.org
+# [PATCH] binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+#
+# Jakub Jelinek points out that current fix has an underflow problem
+# if elf_ppnt->p_filesz == 0. Fix that up, and also stop overwriting
+# interpreter buffer, simply check that it's NULL-terminated.
+#
+# From: Jakub Jelinek <jakub@redhat.com>
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/binfmt_elf.c
+# 2004/11/16 11:01:21-08:00 chrisw@osdl.org +5 -2
+# binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2004-11-21 11:32:30 -08:00
++++ b/fs/binfmt_elf.c 2004-11-21 11:32:30 -08:00
+@@ -576,7 +576,8 @@
+ */
+
+ retval = -ENOMEM;
+- if (elf_ppnt->p_filesz > PATH_MAX)
++ if (elf_ppnt->p_filesz > PATH_MAX ||
++ elf_ppnt->p_filesz == 0)
+ goto out_free_file;
+ elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz,
+ GFP_KERNEL);
+@@ -592,7 +593,9 @@
+ goto out_free_interp;
+ }
+ /* make sure path is NULL terminated */
+- elf_interpreter[elf_ppnt->p_filesz - 1] = '\0';
++ retval = -EINVAL;
++ if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
++ goto out_free_interp;
+
+ /* If the program interpreter is one of these two,
+ * then assume an iBCS2 image. Otherwise assume
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-3
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-3 2004-11-25 05:22:14 UTC (rev 1900)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-3 2004-11-25 05:26:53 UTC (rev 1901)
@@ -1 +1,3 @@
+ dm_io-ENOMEM-goof.dpatch
++ elf-loader-fixes-the-return.dpatch
++ aout-loader-fixes.dpatch