r2165 - in trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian: . patches patches/series
maks andries
maks-guest@costa.debian.org
Fri, 07 Jan 2005 15:16:11 +0100
Author: maks-guest
Date: 2005-01-07 15:16:09 +0100 (Fri, 07 Jan 2005)
New Revision: 2165
Added:
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/sec_brk-locked.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5
Log:
add brk-locked patch to 2.6.9
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-01-07 14:11:39 UTC (rev 2164)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-01-07 14:16:09 UTC (rev 2165)
@@ -20,6 +20,9 @@
to ensure that the permissions of the files in this package are
sensible. (See: Bug#288279) (Simon Horman)
+ * [SECURITY] Fix vulnerability in the ELF loader code allowing
+ local attacker to execute code as root. (Maximilian Attems)
+
-- Simon Horman <horms@debian.org> Fri, 7 Jan 2005 15:07:39 +0900
kernel-source-2.6.9 (2.6.9-4) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/sec_brk-locked.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/sec_brk-locked.dpatch 2005-01-07 14:11:39 UTC (rev 2164)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/sec_brk-locked.dpatch 2005-01-07 14:16:09 UTC (rev 2165)
@@ -0,0 +1,227 @@
+#! /bin/sh -e
+## DP: Description: elf-loader root exploit
+## DP: Patch author: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+## DP: Upstream status: not yet merged
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -urNad linux-source-2.6.10-2.6.10/arch/mips/kernel/irixelf.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/arch/mips/kernel/irixelf.c
+--- linux-source-2.6.10-2.6.10/arch/mips/kernel/irixelf.c 2004-12-24 22:35:50.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/arch/mips/kernel/irixelf.c 2005-01-06 11:56:53.055898736 +0100
+@@ -127,7 +127,7 @@
+ end = PAGE_ALIGN(end);
+ if (end <= start)
+ return;
+- do_brk(start, end - start);
++ do_brk_locked(start, end - start);
+ }
+
+
+diff -urNad linux-source-2.6.10-2.6.10/arch/x86_64/ia32/ia32_aout.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/arch/x86_64/ia32/ia32_aout.c
+--- linux-source-2.6.10-2.6.10/arch/x86_64/ia32/ia32_aout.c 2004-12-24 22:35:40.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/arch/x86_64/ia32/ia32_aout.c 2005-01-06 11:56:53.058898280 +0100
+@@ -113,7 +113,7 @@
+ end = PAGE_ALIGN(end);
+ if (end <= start)
+ return;
+- do_brk(start, end - start);
++ do_brk_locked(start, end - start);
+ }
+
+ #if CORE_DUMP
+@@ -323,7 +323,7 @@
+ pos = 32;
+ map_size = ex.a_text+ex.a_data;
+
+- error = do_brk(text_addr & PAGE_MASK, map_size);
++ error = do_brk_locked(text_addr & PAGE_MASK, map_size);
+ if (error != (text_addr & PAGE_MASK)) {
+ send_sig(SIGKILL, current, 0);
+ return error;
+@@ -359,7 +359,7 @@
+
+ if (!bprm->file->f_op->mmap||((fd_offset & ~PAGE_MASK) != 0)) {
+ loff_t pos = fd_offset;
+- do_brk(N_TXTADDR(ex), ex.a_text+ex.a_data);
++ do_brk_locked(N_TXTADDR(ex), ex.a_text+ex.a_data);
+ bprm->file->f_op->read(bprm->file,(char *)N_TXTADDR(ex),
+ ex.a_text+ex.a_data, &pos);
+ flush_icache_range((unsigned long) N_TXTADDR(ex),
+@@ -468,7 +468,7 @@
+ }
+ #endif
+
+- do_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);
++ do_brk_locked(start_addr, ex.a_text + ex.a_data + ex.a_bss);
+
+ file->f_op->read(file, (char *)start_addr,
+ ex.a_text + ex.a_data, &pos);
+@@ -492,7 +492,7 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
+- error = do_brk(start_addr + len, bss - len);
++ error = do_brk_locked(start_addr + len, bss - len);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -urNad linux-source-2.6.10-2.6.10/fs/binfmt_aout.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/fs/binfmt_aout.c
+--- linux-source-2.6.10-2.6.10/fs/binfmt_aout.c 2004-12-24 22:35:50.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/fs/binfmt_aout.c 2005-01-06 11:56:53.059898128 +0100
+@@ -50,7 +50,7 @@
+ start = PAGE_ALIGN(start);
+ end = PAGE_ALIGN(end);
+ if (end > start) {
+- unsigned long addr = do_brk(start, end - start);
++ unsigned long addr = do_brk_locked(start, end - start);
+ if (BAD_ADDR(addr))
+ return addr;
+ }
+@@ -323,10 +323,10 @@
+ loff_t pos = fd_offset;
+ /* Fuck me plenty... */
+ /* <AOL></AOL> */
+- error = do_brk(N_TXTADDR(ex), ex.a_text);
++ error = do_brk_locked(N_TXTADDR(ex), ex.a_text);
+ bprm->file->f_op->read(bprm->file, (char *) N_TXTADDR(ex),
+ ex.a_text, &pos);
+- error = do_brk(N_DATADDR(ex), ex.a_data);
++ error = do_brk_locked(N_DATADDR(ex), ex.a_data);
+ bprm->file->f_op->read(bprm->file, (char *) N_DATADDR(ex),
+ ex.a_data, &pos);
+ goto beyond_if;
+@@ -347,7 +347,7 @@
+ map_size = ex.a_text+ex.a_data;
+ #endif
+
+- error = do_brk(text_addr & PAGE_MASK, map_size);
++ error = do_brk_locked(text_addr & PAGE_MASK, map_size);
+ if (error != (text_addr & PAGE_MASK)) {
+ send_sig(SIGKILL, current, 0);
+ return error;
+@@ -382,7 +382,7 @@
+
+ if (!bprm->file->f_op->mmap||((fd_offset & ~PAGE_MASK) != 0)) {
+ loff_t pos = fd_offset;
+- do_brk(N_TXTADDR(ex), ex.a_text+ex.a_data);
++ do_brk_locked(N_TXTADDR(ex), ex.a_text+ex.a_data);
+ bprm->file->f_op->read(bprm->file,
+ (char __user *)N_TXTADDR(ex),
+ ex.a_text+ex.a_data, &pos);
+@@ -488,7 +488,7 @@
+ error_time = jiffies;
+ }
+
+- do_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);
++ do_brk_locked(start_addr, ex.a_text + ex.a_data + ex.a_bss);
+
+ file->f_op->read(file, (char __user *)start_addr,
+ ex.a_text + ex.a_data, &pos);
+@@ -512,7 +512,7 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
+- error = do_brk(start_addr + len, bss - len);
++ error = do_brk_locked(start_addr + len, bss - len);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -urNad linux-source-2.6.10-2.6.10/fs/binfmt_elf.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/fs/binfmt_elf.c
+--- linux-source-2.6.10-2.6.10/fs/binfmt_elf.c 2004-12-24 22:34:33.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/fs/binfmt_elf.c 2005-01-06 11:56:53.061897824 +0100
+@@ -88,7 +88,7 @@
+ start = ELF_PAGEALIGN(start);
+ end = ELF_PAGEALIGN(end);
+ if (end > start) {
+- unsigned long addr = do_brk(start, end - start);
++ unsigned long addr = do_brk_locked(start, end - start);
+ if (BAD_ADDR(addr))
+ return addr;
+ }
+@@ -408,7 +408,7 @@
+
+ /* Map the last of the bss segment */
+ if (last_bss > elf_bss) {
+- error = do_brk(elf_bss, last_bss - elf_bss);
++ error = do_brk_locked(elf_bss, last_bss - elf_bss);
+ if (BAD_ADDR(error))
+ goto out_close;
+ }
+@@ -448,7 +448,7 @@
+ goto out;
+ }
+
+- do_brk(0, text_data);
++ do_brk_locked(0, text_data);
+ if (!interpreter->f_op || !interpreter->f_op->read)
+ goto out;
+ if (interpreter->f_op->read(interpreter, addr, text_data, &offset) < 0)
+@@ -456,7 +456,7 @@
+ flush_icache_range((unsigned long)addr,
+ (unsigned long)addr + text_data);
+
+- do_brk(ELF_PAGESTART(text_data + ELF_MIN_ALIGN - 1),
++ do_brk_locked(ELF_PAGESTART(text_data + ELF_MIN_ALIGN - 1),
+ interp_ex->a_bss);
+ elf_entry = interp_ex->a_entry;
+
+@@ -1025,7 +1025,7 @@
+ len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+ bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
+ if (bss > len)
+- do_brk(len, bss - len);
++ do_brk_locked(len, bss - len);
+ error = 0;
+
+ out_free_ph:
+diff -urNad linux-source-2.6.10-2.6.10/include/linux/mm.h /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/include/linux/mm.h
+--- linux-source-2.6.10-2.6.10/include/linux/mm.h 2004-12-24 22:33:50.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/include/linux/mm.h 2005-01-06 11:56:53.062897672 +0100
+@@ -702,6 +702,7 @@
+ extern int do_munmap(struct mm_struct *, unsigned long, size_t);
+
+ extern unsigned long do_brk(unsigned long, unsigned long);
++extern unsigned long do_brk_locked(unsigned long, unsigned long);
+
+ /* filemap.c */
+ extern unsigned long page_unuse(struct page *);
+diff -urNad linux-source-2.6.10-2.6.10/mm/mmap.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/mm/mmap.c
+--- linux-source-2.6.10-2.6.10/mm/mmap.c 2004-12-24 22:35:00.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/mm/mmap.c 2005-01-06 11:56:53.066897064 +0100
+@@ -1823,6 +1823,20 @@
+
+ EXPORT_SYMBOL(do_brk);
+
++/* locking version of do_brk. */
++unsigned long do_brk_locked(unsigned long addr, unsigned long len)
++{
++ unsigned long ret;
++
++ down_write(¤t->mm->mmap_sem);
++ ret = do_brk(addr, len);
++ up_write(¤t->mm->mmap_sem);
++
++ return ret;
++}
++
++EXPORT_SYMBOL(do_brk_locked);
++
+ /* Release all mmaps. */
+ void exit_mmap(struct mm_struct *mm)
+ {
+diff -urNad linux-source-2.6.10-2.6.10/mm/nommu.c /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/mm/nommu.c
+--- linux-source-2.6.10-2.6.10/mm/nommu.c 2004-12-24 22:35:25.000000000 +0100
++++ /usr/src/dpatchtemp/dpep.utRanM/linux-source-2.6.10-2.6.10/mm/nommu.c 2005-01-06 11:56:53.068896760 +0100
+@@ -227,6 +227,11 @@
+ return mm->brk = brk;
+ }
+
++unsigned long do_brk_locked(unsigned long addr, unsigned long len)
++{
++ return -ENOMEM;
++}
++
+ /*
+ * Combine the mmap "prot" and "flags" argument into one "vm_flags" used
+ * internally. Essentially, translate the "PROT_xxx" and "MAP_xxx" bits
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5 2005-01-07 14:11:39 UTC (rev 2164)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5 2005-01-07 14:16:09 UTC (rev 2165)
@@ -6,3 +6,4 @@
+ powerpc-g5-thermal-management-update.dpatch
+ powerpc-misc-powermac-fixes.dpatch
+ powerpc-prep-powerstack-irq.dpatch
++ sec_brk-locked.dpatch