r2295 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
maks andries
maks-guest@costa.debian.org
Thu, 13 Jan 2005 17:45:05 +0100
Author: maks-guest
Date: 2005-01-13 17:45:04 +0100 (Thu, 13 Jan 2005)
New Revision: 2295
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/127_fs_coda_coverty.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/128_net_fose_coverty.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/129_net_sdla_coverty.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/130_fs_xfs_coverty.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
Log:
add fixes for the coverty bugs.
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 16:45:04 UTC (rev 2295)
@@ -21,6 +21,17 @@
[SECURITY] Fix bounds checking in moxa serial driver. (Simon Horman)
* 126_rlimit_memlock_dos.diff
[SECURITY] Fix RLIMIT_MEMLOCK local DoS (Simon Horman)
+ * 127_fs_coda_coverty.diff
+ [SECURITY] Untrusted user data in kernel. (Maxmilian Attems)
+ * 128_net_fose_coverty.diff
+ [SECURITY] Fix Coverity reported lack of bounds checking rose_rt_ioctl.
+ (Maximilian Attems)
+ * 129_net_sdla_coverty.diff
+ [SECURITY] Fix sdla_xfer lack of bounds checking, reported by Coverity.
+ (Maximilian Attems)
+ * 130_fs_xfs_coverty.diff
+ [SECURITY] Fix xfs_attrmulti_by_handle lack of bounds checking, reported
+ by Coverity. (Maximilian Attems)
-- Simon Horman <horms@debian.org> Thu, 13 Jan 2005 15:24:48 +0900
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/127_fs_coda_coverty.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/127_fs_coda_coverty.diff 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/127_fs_coda_coverty.diff 2005-01-13 16:45:04 UTC (rev 2295)
@@ -0,0 +1,98 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 15:35:04-02:00 jaharkes@cs.cmu.edu
+# [PATCH] Fix Coda bugs found by Coverity checker
+#
+# This patch adds bounds checking for tainted scalars.
+# (reported by Brian Fulton and Ted Unangst, Coverity Inc.)
+#
+# Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+#
+# Index: linux-2.4.29-pre3-bk4/include/linux/coda.h
+# ===================================================================
+#
+# fs/coda/upcall.c
+# 2005/01/06 18:36:25-02:00 jaharkes@cs.cmu.edu +25 -16
+# fs/coda Re: [Coverity] Untrusted user data in kernel
+#
+# include/linux/coda.h
+# 2005/01/06 12:12:40-02:00 jaharkes@cs.cmu.edu +2 -2
+# fs/coda Re: [Coverity] Untrusted user data in kernel
+#
+diff -Nru a/fs/coda/upcall.c b/fs/coda/upcall.c
+--- a/fs/coda/upcall.c 2005-01-13 08:32:57 -08:00
++++ b/fs/coda/upcall.c 2005-01-13 08:32:57 -08:00
+@@ -543,6 +543,11 @@
+ goto exit;
+ }
+
++ if (data->vi.out_size > VC_MAXDATASIZE) {
++ error = -EINVAL;
++ goto exit;
++ }
++
+ inp->coda_ioctl.VFid = *fid;
+
+ /* the cmd field was mutated by increasing its size field to
+@@ -571,26 +576,30 @@
+ error, coda_f2s(fid));
+ goto exit;
+ }
+-
+- /* Copy out the OUT buffer. */
++
++ if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) {
++ CDEBUG(D_FILE, "reply size %d < reply len %ld\n", outsize,
++ (long)outp->coda_ioctl.data + outp->coda_ioctl.len);
++ error = -EINVAL;
++ goto exit;
++ }
++
+ if (outp->coda_ioctl.len > data->vi.out_size) {
+- CDEBUG(D_FILE, "return len %d <= request len %d\n",
+- outp->coda_ioctl.len,
+- data->vi.out_size);
++ CDEBUG(D_FILE, "return len %d > request len %d\n",
++ outp->coda_ioctl.len, data->vi.out_size);
+ error = -EINVAL;
+- } else {
+- error = verify_area(VERIFY_WRITE, data->vi.out,
+- data->vi.out_size);
+- if ( error ) goto exit;
+-
+- if (copy_to_user(data->vi.out,
+- (char *)outp + (long)outp->coda_ioctl.data,
+- data->vi.out_size)) {
+- error = -EINVAL;
+- goto exit;
+- }
++ goto exit;
+ }
+
++ /* Copy out the OUT buffer. */
++ error = verify_area(VERIFY_WRITE, data->vi.out, outp->coda_ioctl.len);
++ if ( error ) goto exit;
++
++ if (copy_to_user(data->vi.out,
++ (char *)outp + (long)outp->coda_ioctl.data,
++ outp->coda_ioctl.len)) {
++ error = -EINVAL;
++ }
+ exit:
+ CODA_FREE(inp, insize);
+ return error;
+diff -Nru a/include/linux/coda.h b/include/linux/coda.h
+--- a/include/linux/coda.h 2005-01-13 08:32:57 -08:00
++++ b/include/linux/coda.h 2005-01-13 08:32:57 -08:00
+@@ -767,8 +767,8 @@
+ #define PIOCPARM_MASK 0x0000ffff
+ struct ViceIoctl {
+ caddr_t in, out; /* Data to be transferred in, or out */
+- short in_size; /* Size of input buffer <= 2K */
+- short out_size; /* Maximum size of output buffer, <= 2K */
++ u_short in_size; /* Size of input buffer <= 2K */
++ u_short out_size; /* Maximum size of output buffer, <= 2K */
+ };
+
+ struct PioctlData {
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/128_net_fose_coverty.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/128_net_fose_coverty.diff 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/128_net_fose_coverty.diff 2005-01-13 16:45:04 UTC (rev 2295)
@@ -0,0 +1,23 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 16:54:09-02:00 marcelo@logos.cnet
+# Alan Cox: rose_rt_ioctl lack of bounds checking, reported by Coverity (from 2.6.10-ac)
+#
+# net/rose/rose_route.c
+# 2005/01/10 16:53:19-02:00 marcelo@logos.cnet +3 -0
+# Alan Cox: Fix Coverity reported lack of bounds checking
+#
+diff -Nru a/net/rose/rose_route.c b/net/rose/rose_route.c
+--- a/net/rose/rose_route.c 2005-01-13 08:39:30 -08:00
++++ b/net/rose/rose_route.c 2005-01-13 08:39:30 -08:00
+@@ -655,6 +655,9 @@
+ if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
+ return -EINVAL;
+
++ if(rose_route.ndigis > 8) /* No more than 8 digipeats */
++ return -EINVAL;
++
+ err = rose_add_node(&rose_route, dev);
+ dev_put(dev);
+ return err;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/129_net_sdla_coverty.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/129_net_sdla_coverty.diff 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/129_net_sdla_coverty.diff 2005-01-13 16:45:04 UTC (rev 2295)
@@ -0,0 +1,23 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 16:57:46-02:00 marcelo@logos.cnet
+# Alan Cox: sdla_xfer lack of bounds checking, reported by Coverity (from 2.6.10-ac)
+#
+# drivers/net/wan/sdla.c
+# 2005/01/10 16:56:45-02:00 marcelo@logos.cnet +2 -0
+# Alan Cox: sdla_xfer lack of bounds checking, reported by Coverity (from 2.6.10-ac)
+# ,.
+#
+diff -Nru a/drivers/net/wan/sdla.c b/drivers/net/wan/sdla.c
+--- a/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00
++++ b/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00
+@@ -1300,6 +1300,8 @@
+
+ case SDLA_WRITEMEM:
+ case SDLA_READMEM:
++ if(!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+ return(sdla_xfer(dev, (struct sdla_mem *)ifr->ifr_data, cmd == SDLA_READMEM));
+
+ case SDLA_START:
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/130_fs_xfs_coverty.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/130_fs_xfs_coverty.diff 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/130_fs_xfs_coverty.diff 2005-01-13 16:45:04 UTC (rev 2295)
@@ -0,0 +1,25 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 17:02:11-02:00 marcelo@logos.cnet
+# Alan Cox: xfs_attrmulti_by_handle lack of bounds checking, reported by Coverity (from 2.6.10-ac)
+#
+# fs/xfs/linux-2.4/xfs_ioctl.c
+# 2005/01/10 17:01:35-02:00 marcelo@logos.cnet +5 -0
+# Alan Cox: xfs_attrmulti_by_handle lack of bounds checking, reported by Coverity (from 2.6.10-ac)
+#
+diff -Nru a/fs/xfs/linux-2.4/xfs_ioctl.c b/fs/xfs/linux-2.4/xfs_ioctl.c
+--- a/fs/xfs/linux-2.4/xfs_ioctl.c 2005-01-13 08:45:27 -08:00
++++ b/fs/xfs/linux-2.4/xfs_ioctl.c 2005-01-13 08:45:27 -08:00
+@@ -514,6 +514,11 @@
+ if (error)
+ return -error;
+
++ if(am_hreq.opcount > 1024) {
++ VN_RELE(vp);
++ return -XFS_ERROR(ENOMEM);
++ }
++
+ size = am_hreq.opcount * sizeof(attr_multiop_t);
+ ops = (xfs_attr_multiop_t *)kmalloc(size, GFP_KERNEL);
+ if (!ops) {
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 16:41:20 UTC (rev 2294)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 16:45:04 UTC (rev 2295)
@@ -5,4 +5,8 @@
+ 124_random_poolsize_overflow.diff
+ 125_moxa_bound_checking.diff
+ 126_rlimit_memlock_dos.diff
++ 127_fs_coda_coverty.diff
++ 128_net_fose_coverty.diff
++ 129_net_sdla_coverty.diff
++ 130_fs_xfs_coverty.diff