r2174 - in trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian: . patches patches/series
Andres Salomon
dilinger-guest@costa.debian.org
Sat, 08 Jan 2005 00:30:59 +0100
Author: dilinger-guest
Date: 2005-01-08 00:30:58 +0100 (Sat, 08 Jan 2005)
New Revision: 2174
Added:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/028-do_brk_security_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/029-random_poolsize_overflow.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/030-moxa_user_copy_checking.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-2
Log:
Dropped the earlier do_brk fix; applied the one from alan's tree, instead.
* [SECURITY] 028-do_brk_security_fixes.dpatch
Fix local root vulnerability for various do_brk() calls;
ensure an exclusive lock on memory while modifying it; CAN-2004-1235
(Andres Salomon).
* [SECURITY] 029-random_poolsize_overflow.dpatch
drivers/char/random allows you to set the poolsize; its sanity checking
on that input isn's very good. We fix that here.
See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
more details. This fixes #3 on that list (Andres Salomon).
* [SECURITY] 030-moxa_user_copy_checking.dpatch
The moxa driver does some ugly things w/ signed integers. This fixes
#4 on Brad Spengler's advisory (Andres Salomon).
* [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
SG ioctl stuff doesn't actually check whether the scsi command length
is positive. #5 on the above advisory (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-01-07 23:30:58 UTC (rev 2174)
@@ -1,11 +1,26 @@
kernel-source-2.6.10 (2.6.10-2) unstable; urgency=low
- * [SECURITY] Fix vulnerability in the ELF loader code allowing
- local attacker to execute code as root; CAN-2004-1235.
- (closes: #289155) (Maximilian Attems)
+ * [SECURITY] 028-do_brk_security_fixes.dpatch
+ Fix local root vulnerability for various do_brk() calls;
+ ensure an exclusive lock on memory while modifying it; CAN-2004-1235
+ (Andres Salomon) (closes: #289155).
- -- Andres Salomon <dilinger@voxel.net>
+ * [SECURITY] 029-random_poolsize_overflow.dpatch
+ drivers/char/random allows you to set the poolsize; its sanity checking
+ on that input isn's very good. We fix that here.
+ See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
+ more details. This fixes #3 on that list (Andres Salomon).
+ * [SECURITY] 030-moxa_user_copy_checking.dpatch
+ The moxa driver does some ugly things w/ signed integers. This fixes
+ #4 on Brad Spengler's advisory (Andres Salomon).
+
+ * [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
+ SG ioctl stuff doesn't actually check whether the scsi command length
+ is positive. #5 on the above advisory (Andres Salomon).
+
+ -- Andres Salomon <dilinger@voxel.net> Fri, 07 Jan 2005 18:27:56 -0500
+
kernel-source-2.6.10 (2.6.10-1) unstable; urgency=low
* New upstream release.
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/028-do_brk_security_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-07 23:30:58 UTC (rev 2174)
@@ -0,0 +1,113 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Ensure do_brk() is called with semaphore held on current mm struct (CAN-2004-1235)
+## DP: Patch author: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+## DP: Upstream status: not yet merged; pulled from 2.6.10-ac6
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/arch/ia64/kernel/sys_ia64.c linux-2.6.10/arch/ia64/kernel/sys_ia64.c
+--- linux.vanilla-2.6.10/arch/ia64/kernel/sys_ia64.c 2004-12-25 21:15:32.000000000 +0000
++++ linux-2.6.10/arch/ia64/kernel/sys_ia64.c 2005-01-07 15:36:22.000000000 +0000
+@@ -147,7 +147,7 @@
+ goto out;
+
+ /* Ok, looks good - let it rip. */
+- if (do_brk(oldbrk, newbrk-oldbrk) != oldbrk)
++ if (__do_brk(oldbrk, newbrk-oldbrk) != oldbrk)
+ goto out;
+ set_brk:
+ mm->brk = brk;
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/arch/mips/kernel/sysirix.c linux-2.6.10/arch/mips/kernel/sysirix.c
+--- linux.vanilla-2.6.10/arch/mips/kernel/sysirix.c 2004-12-25 21:15:32.000000000 +0000
++++ linux-2.6.10/arch/mips/kernel/sysirix.c 2005-01-07 15:36:33.000000000 +0000
+@@ -591,7 +591,7 @@
+ * Ok, looks good - let it rip.
+ */
+ mm->brk = brk;
+- do_brk(oldbrk, newbrk-oldbrk);
++ __do_brk(oldbrk, newbrk-oldbrk);
+ ret = 0;
+
+ out:
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/arch/sparc/kernel/sys_sunos.c linux-2.6.10/arch/sparc/kernel/sys_sunos.c
+--- linux.vanilla-2.6.10/arch/sparc/kernel/sys_sunos.c 2004-12-25 21:15:32.000000000 +0000
++++ linux-2.6.10/arch/sparc/kernel/sys_sunos.c 2005-01-07 15:37:03.000000000 +0000
+@@ -207,7 +207,7 @@
+ * Ok, we have probably got enough memory - let it rip.
+ */
+ current->mm->brk = brk;
+- do_brk(oldbrk, newbrk-oldbrk);
++ __do_brk(oldbrk, newbrk-oldbrk);
+ retval = 0;
+ out:
+ up_write(¤t->mm->mmap_sem);
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/arch/sparc64/kernel/sys_sunos32.c linux-2.6.10/arch/sparc64/kernel/sys_sunos32.c
+--- linux.vanilla-2.6.10/arch/sparc64/kernel/sys_sunos32.c 2004-12-25 21:15:32.000000000 +0000
++++ linux-2.6.10/arch/sparc64/kernel/sys_sunos32.c 2005-01-07 15:37:23.000000000 +0000
+@@ -164,7 +164,7 @@
+ goto out;
+ /* Ok, we have probably got enough memory - let it rip. */
+ current->mm->brk = brk;
+- do_brk(oldbrk, newbrk-oldbrk);
++ __do_brk(oldbrk, newbrk-oldbrk);
+ retval = 0;
+ out:
+ up_write(¤t->mm->mmap_sem);
+
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/include/linux/mm.h linux-2.6.10/include/linux/mm.h
+--- linux.vanilla-2.6.10/include/linux/mm.h 2004-12-25 21:15:46.000000000 +0000
++++ linux-2.6.10/include/linux/mm.h 2005-01-07 15:37:37.178938392 +0000
+@@ -703,6 +703,7 @@
+
+ extern int do_munmap(struct mm_struct *, unsigned long, size_t);
+
++extern unsigned long __do_brk(unsigned long, unsigned long);
+ extern unsigned long do_brk(unsigned long, unsigned long);
+
+ /* filemap.c */
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/mm/mmap.c linux-2.6.10/mm/mmap.c
+--- linux.vanilla-2.6.10/mm/mmap.c 2004-12-25 21:15:46.000000000 +0000
++++ linux-2.6.10/mm/mmap.c 2005-01-07 15:31:43.000000000 +0000
+@@ -145,7 +145,7 @@
+ goto out;
+
+ /* Ok, looks good - let it rip. */
+- if (do_brk(oldbrk, newbrk-oldbrk) != oldbrk)
++ if (__do_brk(oldbrk, newbrk-oldbrk) != oldbrk)
+ goto out;
+ set_brk:
+ mm->brk = brk;
+@@ -1742,7 +1742,7 @@
+ * anonymous maps. eventually we may be able to do some
+ * brk-specific accounting here.
+ */
+-unsigned long do_brk(unsigned long addr, unsigned long len)
++unsigned long __do_brk(unsigned long addr, unsigned long len)
+ {
+ struct mm_struct * mm = current->mm;
+ struct vm_area_struct * vma, * prev;
+@@ -1824,7 +1824,19 @@
+ return addr;
+ }
+
++EXPORT_SYMBOL(__do_brk);
++
++unsigned long do_brk(unsigned long addr, unsigned long len)
++{
++ unsigned long ret;
++
++ down_write(¤t->mm->mmap_sem);
++ ret = __do_brk(addr, len);
++ up_write(¤t->mm->mmap_sem);
++}
++
+ EXPORT_SYMBOL(do_brk);
++
+
+ /* Release all mmaps. */
+ void exit_mmap(struct mm_struct *mm)
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/029-random_poolsize_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-07 23:30:58 UTC (rev 2174)
@@ -0,0 +1,55 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] check user-supplied length before copy_from_user
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--ps-int-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 17:45:21 EST 2005
+Standard-date: 2005-01-07 22:45:21 GMT
+Modified-files: random.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--ps-int-overflow--0--patch-1
+Summary: integer overflow fix for poolsize_strategy()
+Keywords:
+
+Pointed out by Brad Spengler here:
+http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html
+
+The fix is simple; we're passed a size_t (generally an unsigned int
+or unsigned long, depending on arch); copy_from_user expects an
+unsigned long. We can simply cast it to an unsigned long; table->maxlen
+guarantees that we'll always have a small amount, anyways.
+
+
+* modified files
+
+--- orig/drivers/char/random.c
++++ mod/drivers/char/random.c
+@@ -1906,7 +1906,7 @@
+ void __user *oldval, size_t __user *oldlenp,
+ void __user *newval, size_t newlen, void **context)
+ {
+- int len;
++ unsigned long len;
+
+ sysctl_poolsize = random_state->poolinfo.POOLBYTES;
+
+@@ -1916,7 +1916,7 @@
+ * write case happens twice; it's harmless).
+ */
+ if (newval && newlen) {
+- len = newlen;
++ len = (unsigned long) newlen;
+ if (len > table->maxlen)
+ len = table->maxlen;
+ if (copy_from_user(table->data, newval, len))
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/030-moxa_user_copy_checking.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-07 23:30:58 UTC (rev 2174)
@@ -0,0 +1,69 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] make the moxa driver check user supplied lengths before doing copy_from_users
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--moxa-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 18:05:38 EST 2005
+Standard-date: 2005-01-07 23:05:38 GMT
+Modified-files: moxa.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--moxa-overflow--0--patch-1
+Summary: sanity check dltmp.len size before all copy_from_user() calls
+Keywords:
+
+Make sure the length we're passing copy_from_user() is never negative or
+too large for moxaBuff.
+
+
+
+* modified files
+
+--- orig/drivers/char/moxa.c
++++ mod/drivers/char/moxa.c
+@@ -1666,7 +1666,7 @@
+
+ if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
+ return -EFAULT;
+- if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
++ if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
+ return -EINVAL;
+
+ switch(cmd)
+@@ -2775,6 +2775,8 @@
+ void __iomem *baseAddr;
+ int i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+@@ -2822,7 +2824,7 @@
+ void __iomem *baseAddr;
+ int i;
+
+- if(len > sizeof(moxaBuff))
++ if(len < 0 || len > sizeof(moxaBuff))
+ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+@@ -2842,6 +2844,8 @@
+ void __iomem *baseAddr, *ofsAddr;
+ int retval, port, i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-07 23:30:58 UTC (rev 2174)
@@ -0,0 +1,59 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] make SG ioctl stuff validate integers before passing to get_user and friends
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-block--scsi-ioctl-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 18:20:43 EST 2005
+Standard-date: 2005-01-07 23:20:43 GMT
+Modified-files: scsi_ioctl.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-block--scsi-ioctl-overflow--0--patch-1
+Summary: check user-supplied lengths during SG ioctls
+Keywords:
+
+http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html
+
+Check that the values we're getting for lengths are sane before doing any
+processing on the data supplied by the user.
+
+
+
+* modified files
+
+--- orig/drivers/block/scsi_ioctl.c
++++ mod/drivers/block/scsi_ioctl.c
+@@ -347,9 +347,11 @@
+ */
+ if (get_user(in_len, &sic->inlen))
+ return -EFAULT;
++ if (in_len < 0 || in_len > PAGE_SIZE)
++ return -EINVAL;
+ if (get_user(out_len, &sic->outlen))
+ return -EFAULT;
+- if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
++ if (out_len < 0 || out_len > PAGE_SIZE)
+ return -EINVAL;
+ if (get_user(opcode, sic->data))
+ return -EFAULT;
+@@ -366,6 +368,10 @@
+ rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
+
+ cmdlen = COMMAND_SIZE(opcode);
++ if (cmdlen < 0 || cmdlen > PAGE_SIZE) {
++ err = -EINVAL;
++ goto error;
++ }
+
+ /*
+ * get command and data to send to device, if any
+
+
+
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-2
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-2 2005-01-07 20:35:24 UTC (rev 2173)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-2 2005-01-07 23:30:58 UTC (rev 2174)
@@ -1 +1,4 @@
-+ sec_brk-locked.dpatch
++ 028-do_brk_security_fixes.dpatch
++ 029-random_poolsize_overflow.dpatch
++ 030-moxa_user_copy_checking.dpatch
++ 031-sg_scsi_ioctl_int_overflows.dpatch