r2289 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Thu, 13 Jan 2005 08:52:00 +0100
Author: horms
Date: 2005-01-13 08:51:59 +0100 (Thu, 13 Jan 2005)
New Revision: 2289
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/124_random_poolsize_overflow.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/125_moxa_bound_checking.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/126_rlimit_memlock_dos.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
Log:
[SECURITY] Fix integer overflow in random poolsize sysctl.
[SECURITY] Fix bounds checking in moxa serial driver.
[SECURITY] Fix RLIMIT_MEMLOCK local DoS
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 07:37:34 UTC (rev 2288)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 07:51:59 UTC (rev 2289)
@@ -2,20 +2,29 @@
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
to ensure that the permissions of the files in this package are
- sensible. (Closes: Bug#288279) (Simon Horman)
- * [SECURITY] Fix vulnerability in the ELF loader code allowing
+ sensible. (closes: Bug#288279) (Simon Horman)
+ * 122_sec_brk-locked.diff
+ [SECURITY] Fix vulnerability in the ELF loader code allowing
local attacker to execute code as root; CAN-2004-1235. This is better
known as the "uselib() bug". (closes: #289202) (Maximilian Attems)
* 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
- [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
- (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (Closes: Bug#285563)
+ [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
+ (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
* Turn a make conditional into a runtime conditional to allow debian/rules
- prune to work. closes: #289682 (Joshua Kwan)
- * Return -EACCES instead of -ESTALE to fix some NFS data loss bugs, already
- fixed in 2.6 but not in 2.4. closes: #288046 (Joshua Kwan)
+ prune to work. (closes: #289682) (Joshua Kwan)
+ * 123_nfs_verify_eacces.diff
+ Return -EACCES instead of -ESTALE to fix some NFS data loss bugs, already
+ fixed in 2.6 but not in 2.4. (closes: #288046) (Joshua Kwan)
+ * 124_random_poolsize_overflow.diff
+ [SECURITY] Fix integer overflow in random poolsize sysctl. (Simon Horman)
+ * 125_moxa_bound_checking.diff
+ [SECURITY] Fix bounds checking in moxa serial driver. (Simon Horman)
+ * 126_rlimit_memlock_dos.diff
+ [SECURITY] Fix RLIMIT_MEMLOCK local DoS (Simon Horman)
- -- Joshua Kwan <joshk@triplehelix.org> Tue, 11 Jan 2005 22:58:27 -0800
+ -- Simon Horman <horms@debian.org> Thu, 13 Jan 2005 15:24:48 +0900
+
kernel-source-2.4.27 (2.4.27-7) unstable; urgency=low
* 113-unix-serialization.diff:
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/124_random_poolsize_overflow.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/124_random_poolsize_overflow.diff 2005-01-13 07:37:34 UTC (rev 2288)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/124_random_poolsize_overflow.diff 2005-01-13 07:51:59 UTC (rev 2289)
@@ -0,0 +1,41 @@
+# origin: marcelo (BitKeeper)
+# cset: 1.1558 (2.4) key=41e2c4fetTJmVti-Xxql21xXjfbpag
+# inclusion: upstream
+# descrition: Brad Spengler: Fix random poolsize sysctl (from 2.6.10-ac)
+# revision date: Thu, 13 Jan 2005 15:14:00 +0900
+#
+# S rset: ChangeSet|1.1557..1.1558
+# I rset: drivers/char/random.c|1.20..1.21
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 16:10:06-02:00 marcelo@logos.cnet
+# Brad Spengler: Fix random poolsize sysctl (from 2.6.10-ac)
+#
+# drivers/char/random.c
+# 2005/01/10 16:07:55-02:00 marcelo@logos.cnet +1 -1
+# Brad Spengler: Fix random poolsize sysctl (from 2.6.10-ac)
+#
+#
+===== drivers/char/random.c 1.20 vs 1.21 =====
+--- 1.20/drivers/char/random.c 2004-08-10 08:09:10 +09:00
++++ 1.21/drivers/char/random.c 2005-01-11 03:07:55 +09:00
+@@ -1771,7 +1771,7 @@
+ static int proc_do_poolsize(ctl_table *table, int write, struct file *filp,
+ void *buffer, size_t *lenp)
+ {
+- int ret;
++ unsigned int ret;
+
+ sysctl_poolsize = random_state->poolinfo.POOLBYTES;
+
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/125_moxa_bound_checking.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/125_moxa_bound_checking.diff 2005-01-13 07:37:34 UTC (rev 2288)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/125_moxa_bound_checking.diff 2005-01-13 07:51:59 UTC (rev 2289)
@@ -0,0 +1,41 @@
+# origin: marcelo (BitKeeper)
+# cset: 1.1559 (2.4) key=41e2c5fb3htiRRycYu5I4skGWXcv5g
+# inclusion: upstream
+# descrition: Alan Cox: Fix moxa serial bound checking issue (from 2.6.10-ac)
+# revision date: Thu, 13 Jan 2005 15:16:21 +0900
+#
+# S rset: ChangeSet|1.1558..1.1559
+# I rset: drivers/char/moxa.c|1.8..1.9
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 16:14:19-02:00 marcelo@logos.cnet
+# Alan Cox: Fix moxa serial bound checking issue (from 2.6.10-ac)
+#
+# drivers/char/moxa.c
+# 2005/01/10 16:11:04-02:00 marcelo@logos.cnet +2 -0
+# Alan Cox: Fix moxa serial bound checking issue
+#
+#
+===== drivers/char/moxa.c 1.8 vs 1.9 =====
+--- 1.8/drivers/char/moxa.c 2004-12-17 00:14:38 +09:00
++++ 1.9/drivers/char/moxa.c 2005-01-11 03:11:04 +09:00
+@@ -905,6 +905,8 @@
+ case TIOCSSERIAL:
+ return (moxa_set_serial_info(ch, (struct serial_struct *) arg));
+ default:
++ if(!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+ retval = MoxaDriverIoctl(cmd, arg, port);
+ }
+ return (retval);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/126_rlimit_memlock_dos.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/126_rlimit_memlock_dos.diff 2005-01-13 07:37:34 UTC (rev 2288)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/126_rlimit_memlock_dos.diff 2005-01-13 07:51:59 UTC (rev 2289)
@@ -0,0 +1,48 @@
+# origin: marcelo (BitKeeper)
+# cset: 1.1560 (2.4) key=41e2ccd0OuVN0bKOhZvnda0zXqnTsA
+# inclusion: upstream
+# descrition: Brad Spengler: Fix RLIMIT_MEMLOCK issue
+# revision date: Thu, 13 Jan 2005 15:12:37 +0900
+#
+# S rset: ChangeSet|1.1559..1.1560
+# I rset: include/linux/mm.h|1.49..1.50
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 16:43:28-02:00 marcelo@logos.cnet
+# Brad Spengler: Fix RLIMIT_MEMLOCK issue
+#
+# include/linux/mm.h
+# 2005/01/10 16:41:47-02:00 marcelo@logos.cnet +8 -0
+# Brad Spengler: Fix RLIMIT_MEMLOCK issue
+# ,
+#
+#
+===== include/linux/mm.h 1.49 vs 1.50 =====
+--- 1.49/include/linux/mm.h 2005-01-07 20:14:01 +09:00
++++ 1.50/include/linux/mm.h 2005-01-11 03:41:47 +09:00
+@@ -660,6 +660,14 @@
+ spin_unlock(&vma->vm_mm->page_table_lock);
+ return -ENOMEM;
+ }
++
++ if ((vma->vm_flags & VM_LOCKED) &&
++ ((vma->vm_mm->locked_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_MEMLOCK].rlim_cur) {
++ spin_unlock(&vma->vm_mm->page_table_lock);
++ return -ENOMEM;
++ }
++
++
+ vma->vm_start = address;
+ vma->vm_pgoff -= grow;
+ vma->vm_mm->total_vm += grow;
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 07:37:34 UTC (rev 2288)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 07:51:59 UTC (rev 2289)
@@ -2,3 +2,7 @@
+ 121_drm-locking-checks-2.diff
+ 122_sec_brk-locked.diff
+ 123_nfs_verify_eacces.diff
++ 124_random_poolsize_overflow.diff
++ 125_moxa_bound_checking.diff
++ 126_rlimit_memlock_dos.diff
+