r2173 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
maks andries
maks-guest@costa.debian.org
Fri, 07 Jan 2005 21:35:25 +0100
Author: maks-guest
Date: 2005-01-07 21:35:24 +0100 (Fri, 07 Jan 2005)
New Revision: 2173
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/sec_brk-locked.dpatch
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Log:
backport marcelo's sys_uselib() fixes
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-07 19:26:20 UTC (rev 2172)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-07 20:35:24 UTC (rev 2173)
@@ -1,3 +1,11 @@
+kernel-source-2.4.27 (2.4.27-9) UNRELEASED; urgency=low
+
+ * [SECURITY] Fix vulnerability in the ELF loader code allowing
+ local attacker to execute code as root; CAN-2004-1235.
+ (closes: #289155) (Maximilian Attems)
+
+ --
+
kernel-source-2.4.27 (2.4.27-8) unstable; urgency=low
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/sec_brk-locked.dpatch
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/sec_brk-locked.dpatch 2005-01-07 19:26:20 UTC (rev 2172)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/sec_brk-locked.dpatch 2005-01-07 20:35:24 UTC (rev 2173)
@@ -0,0 +1,256 @@
+#! /bin/sh -e
+## DP: Description: Paul Starzetz: sys_uselib() race vulnerability CAN-2004-1235
+## DP: Patch author: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -Nru a/arch/mips/kernel/irixelf.c b/arch/mips/kernel/irixelf.c
+--- a/arch/mips/kernel/irixelf.c 2005-01-07 11:40:11 -08:00
++++ b/arch/mips/kernel/irixelf.c 2005-01-07 11:40:11 -08:00
+@@ -130,7 +130,7 @@
+ end = PAGE_ALIGN(end);
+ if (end <= start)
+ return;
+- do_brk(start, end - start);
++ do_brk_locked(start, end - start);
+ }
+
+
+@@ -379,7 +379,7 @@
+
+ /* Map the last of the bss segment */
+ if (last_bss > len) {
+- do_brk(len, (last_bss - len));
++ do_brk_locked(len, (last_bss - len));
+ }
+ kfree(elf_phdata);
+
+@@ -567,7 +567,7 @@
+ unsigned long v;
+ struct prda *pp;
+
+- v = do_brk (PRDA_ADDRESS, PAGE_SIZE);
++ v = do_brk_locked (PRDA_ADDRESS, PAGE_SIZE);
+
+ if (v < 0)
+ return;
+@@ -859,7 +859,7 @@
+ len = (elf_phdata->p_filesz + elf_phdata->p_vaddr+ 0xfff) & 0xfffff000;
+ bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
+ if (bss > len)
+- do_brk(len, bss-len);
++ do_brk_locked(len, bss-len);
+ kfree(elf_phdata);
+ return 0;
+ }
+diff -Nru a/arch/sparc64/kernel/binfmt_aout32.c b/arch/sparc64/kernel/binfmt_aout32.c
+--- a/arch/sparc64/kernel/binfmt_aout32.c 2005-01-07 11:40:11 -08:00
++++ b/arch/sparc64/kernel/binfmt_aout32.c 2005-01-07 11:40:11 -08:00
+@@ -49,7 +49,7 @@
+ end = PAGE_ALIGN(end);
+ if (end <= start)
+ return;
+- do_brk(start, end - start);
++ do_brk_locked(start, end - start);
+ }
+
+ /*
+@@ -246,10 +246,10 @@
+ if (N_MAGIC(ex) == NMAGIC) {
+ loff_t pos = fd_offset;
+ /* Fuck me plenty... */
+- error = do_brk(N_TXTADDR(ex), ex.a_text);
++ error = do_brk_locked(N_TXTADDR(ex), ex.a_text);
+ bprm->file->f_op->read(bprm->file, (char *) N_TXTADDR(ex),
+ ex.a_text, &pos);
+- error = do_brk(N_DATADDR(ex), ex.a_data);
++ error = do_brk_locked(N_DATADDR(ex), ex.a_data);
+ bprm->file->f_op->read(bprm->file, (char *) N_DATADDR(ex),
+ ex.a_data, &pos);
+ goto beyond_if;
+@@ -257,7 +257,7 @@
+
+ if (N_MAGIC(ex) == OMAGIC) {
+ loff_t pos = fd_offset;
+- do_brk(N_TXTADDR(ex) & PAGE_MASK,
++ do_brk_locked(N_TXTADDR(ex) & PAGE_MASK,
+ ex.a_text+ex.a_data + PAGE_SIZE - 1);
+ bprm->file->f_op->read(bprm->file, (char *) N_TXTADDR(ex),
+ ex.a_text+ex.a_data, &pos);
+@@ -272,7 +272,7 @@
+
+ if (!bprm->file->f_op->mmap) {
+ loff_t pos = fd_offset;
+- do_brk(0, ex.a_text+ex.a_data);
++ do_brk_locked(0, ex.a_text+ex.a_data);
+ bprm->file->f_op->read(bprm->file,(char *)N_TXTADDR(ex),
+ ex.a_text+ex.a_data, &pos);
+ goto beyond_if;
+@@ -388,7 +388,7 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
+- error = do_brk(start_addr + len, bss - len);
++ error = do_brk_locked(start_addr + len, bss - len);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
+--- a/fs/binfmt_aout.c 2005-01-07 11:40:11 -08:00
++++ b/fs/binfmt_aout.c 2005-01-07 11:40:11 -08:00
+@@ -46,7 +46,7 @@
+ start = PAGE_ALIGN(start);
+ end = PAGE_ALIGN(end);
+ if (end > start) {
+- unsigned long addr = do_brk(start, end - start);
++ unsigned long addr = do_brk_locked(start, end - start);
+ if (BAD_ADDR(addr))
+ return addr;
+ }
+@@ -317,10 +317,10 @@
+ loff_t pos = fd_offset;
+ /* Fuck me plenty... */
+ /* <AOL></AOL> */
+- error = do_brk(N_TXTADDR(ex), ex.a_text);
++ error = do_brk_locked(N_TXTADDR(ex), ex.a_text);
+ bprm->file->f_op->read(bprm->file, (char *) N_TXTADDR(ex),
+ ex.a_text, &pos);
+- error = do_brk(N_DATADDR(ex), ex.a_data);
++ error = do_brk_locked(N_DATADDR(ex), ex.a_data);
+ bprm->file->f_op->read(bprm->file, (char *) N_DATADDR(ex),
+ ex.a_data, &pos);
+ goto beyond_if;
+@@ -341,7 +341,7 @@
+ map_size = ex.a_text+ex.a_data;
+ #endif
+
+- error = do_brk(text_addr & PAGE_MASK, map_size);
++ error = do_brk_locked(text_addr & PAGE_MASK, map_size);
+ if (error != (text_addr & PAGE_MASK)) {
+ send_sig(SIGKILL, current, 0);
+ return error;
+@@ -375,7 +375,7 @@
+
+ if (!bprm->file->f_op->mmap||((fd_offset & ~PAGE_MASK) != 0)) {
+ loff_t pos = fd_offset;
+- do_brk(N_TXTADDR(ex), ex.a_text+ex.a_data);
++ do_brk_locked(N_TXTADDR(ex), ex.a_text+ex.a_data);
+ bprm->file->f_op->read(bprm->file,(char *)N_TXTADDR(ex),
+ ex.a_text+ex.a_data, &pos);
+ flush_icache_range((unsigned long) N_TXTADDR(ex),
+@@ -476,7 +476,7 @@
+ error_time = jiffies;
+ }
+
+- do_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);
++ do_brk_locked(start_addr, ex.a_text + ex.a_data + ex.a_bss);
+
+ file->f_op->read(file, (char *)start_addr,
+ ex.a_text + ex.a_data, &pos);
+@@ -500,7 +500,7 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
+- error = do_brk(start_addr + len, bss - len);
++ error = do_brk_locked(start_addr + len, bss - len);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2005-01-07 11:40:11 -08:00
++++ b/fs/binfmt_elf.c 2005-01-07 11:40:11 -08:00
+@@ -84,7 +84,7 @@
+ start = ELF_PAGEALIGN(start);
+ end = ELF_PAGEALIGN(end);
+ if (end > start) {
+- unsigned long addr = do_brk(start, end - start);
++ unsigned long addr = do_brk_locked(start, end - start);
+ if (BAD_ADDR(addr))
+ return addr;
+ }
+@@ -377,7 +377,7 @@
+
+ /* Map the last of the bss segment */
+ if (last_bss > elf_bss) {
+- error = do_brk(elf_bss, last_bss - elf_bss);
++ error = do_brk_locked(elf_bss, last_bss - elf_bss);
+ if (BAD_ADDR(error))
+ goto out_close;
+ }
+@@ -424,8 +424,7 @@
+ goto out;
+ }
+
+- do_brk(0, text_data);
+- retval = -ENOEXEC;
++ do_brk_locked(0, text_data);
+ if (!interpreter->f_op || !interpreter->f_op->read)
+ goto out;
+ retval = interpreter->f_op->read(interpreter, addr, text_data, &offset);
+@@ -434,7 +434,7 @@
+ flush_icache_range((unsigned long)addr,
+ (unsigned long)addr + text_data);
+
+- do_brk(ELF_PAGESTART(text_data + ELF_MIN_ALIGN - 1),
++ do_brk_locked(ELF_PAGESTART(text_data + ELF_MIN_ALIGN - 1),
+ interp_ex->a_bss);
+ elf_entry = interp_ex->a_entry;
+
+@@ -975,7 +975,7 @@
+ len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+ bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
+ if (bss > len)
+- do_brk(len, bss - len);
++ do_brk_locked(len, bss - len);
+ error = 0;
+
+ out_free_ph:
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h 2005-01-07 11:40:11 -08:00
++++ b/include/linux/mm.h 2005-01-07 11:40:11 -08:00
+@@ -572,6 +572,7 @@
+ extern int do_munmap(struct mm_struct *, unsigned long, size_t);
+
+ extern unsigned long do_brk(unsigned long, unsigned long);
++extern unsigned long do_brk_locked(unsigned long, unsigned long);
+
+ static inline void __vma_unlink(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct * prev)
+ {
+diff -Nru a/kernel/ksyms.c b/kernel/ksyms.c
+--- a/kernel/ksyms.c 2005-01-07 11:40:11 -08:00
++++ b/kernel/ksyms.c 2005-01-07 11:40:11 -08:00
+@@ -92,6 +92,7 @@
+ EXPORT_SYMBOL(do_mmap_pgoff);
+ EXPORT_SYMBOL(do_munmap);
+ EXPORT_SYMBOL(do_brk);
++EXPORT_SYMBOL(do_brk_locked);
+ EXPORT_SYMBOL(exit_mm);
+ EXPORT_SYMBOL(exit_files);
+ EXPORT_SYMBOL(exit_fs);
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c 2005-01-07 11:40:11 -08:00
++++ b/mm/mmap.c 2005-01-07 11:40:11 -08:00
+@@ -1116,6 +1116,21 @@
+ return addr;
+ }
+
++/* locking version of do_brk. */
++unsigned long do_brk_locked(unsigned long addr, unsigned long len)
++{
++ unsigned long ret;
++
++ down_write(¤t->mm->mmap_sem);
++ ret = do_brk(addr, len);
++ up_write(¤t->mm->mmap_sem);
++
++ return ret;
++}
++
++
++
++
+ /* Build the RB tree corresponding to the VMA list. */
+ void build_mmap_rb(struct mm_struct * mm)
+ {
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-01-07 19:26:20 UTC (rev 2172)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-01-07 20:35:24 UTC (rev 2173)
@@ -0,0 +1 @@
++ sec_brk-locked.dpatch