r2515 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Joshua Kwan
joshk@costa.debian.org
Thu, 17 Feb 2005 22:47:36 +0100
Author: joshk
Date: 2005-02-17 22:47:35 +0100 (Thu, 17 Feb 2005)
New Revision: 2515
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/138_amd64_syscall_vuln.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
Log:
[CAN-2004--1144] fix the "int 0x80 hole" that allowed overflow of the system call table.
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-02-17 21:07:02 UTC (rev 2514)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-02-17 21:47:35 UTC (rev 2515)
@@ -17,12 +17,15 @@
* 136_vc_resizing_overflow.diff: [CAN-2004-1333] make sure VC resizing
fits in 16 bits. (Joshua Kwan)
-
+
* 137_io_edgeport_overflow.diff: [CAN-2004-1017] fix buffer overflow
(underflow, really) that opens multiple attack vectors. (Joshua Kwan)
- -- Joshua Kwan <joshk@triplehelix.org> Thu, 17 Feb 2005 13:05:11 -0800
+ * 138_amd64_syscall_vuln.diff: [CAN-2004--1144] fix the "int 0x80 hole"
+ that allowed overflow of the system call table. (Joshua Kwan)
+ -- Joshua Kwan <joshk@triplehelix.org> Thu, 17 Feb 2005 13:47:09 -0800
+
kernel-source-2.4.27 (2.4.27-8) unstable; urgency=high
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/138_amd64_syscall_vuln.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/138_amd64_syscall_vuln.diff 2005-02-17 21:07:02 UTC (rev 2514)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/138_amd64_syscall_vuln.diff 2005-02-17 21:47:35 UTC (rev 2515)
@@ -0,0 +1,48 @@
+# origin: bk
+# key: 41c99a1b0Mgp_RcIoFWHphM-9yAoxg (linux-2.4)
+# description: fix the int 0x80 local root hole
+# inclusion: 2.4.29 (backport)
+# revision date: 2005-02-17
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/22 14:00:27-02:00 ak@suse.de
+# [PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels
+#
+# Petr Vandrovec discovered an exploitable root hole on all 2.4 x86-64 kernels.
+# The problem occurs because the eax register on the 32bit int 0x80 syscall
+# handler is not properly 64bit zero extended, which can be used to overflow the
+# system call table.
+#
+# The problem only occurs on 2.4 x86-64 kernels, 2.6 doesn't have this
+# hole because some unrelated changes in 2.5 fixed it as a side effect.
+#
+# Marcelo should be releasing a new pre* kernel with this fix
+# shortly, there should be also update kernel from the various
+# linux distributions.
+#
+# It is recommended that everybody who runs a 2.4 x86-64 kernel with
+# shell user access updates to a kernel which has this patch applied.
+#
+# Patch is for 2.4.29pre2, but should apply to pretty much any
+# 2.4.x x86-64 kernel.
+#
+# -Andi
+# TAG: v2.4.29-pre3
+#
+# arch/x86_64/ia32/ia32entry.S
+# 2004/12/22 15:49:05-02:00 ak@suse.de +1 -0
+# [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels
+#
+diff -Nru a/arch/x86_64/ia32/ia32entry.S b/arch/x86_64/ia32/ia32entry.S
+--- a/arch/x86_64/ia32/ia32entry.S 2005-02-17 13:46:20 -08:00
++++ b/arch/x86_64/ia32/ia32entry.S 2005-02-17 13:46:20 -08:00
+@@ -52,6 +52,7 @@
+ ENTRY(ia32_syscall)
+ swapgs
+ sti
++ movl %eax,%eax
+ pushq %rax
+ cld
+ SAVE_ARGS
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-02-17 21:07:02 UTC (rev 2514)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-02-17 21:47:35 UTC (rev 2515)
@@ -2,3 +2,4 @@
+ 135_fix_ip_options_leak.diff
+ 136_vc_resizing_overflow.diff
+ 137_io_edgeport_overflow.diff
++ 138_amd64_syscall_vuln.diff