r2702 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Andres Salomon dilinger-guest@costa.debian.org
Mon, 14 Mar 2005 10:56:37 +0100 

Author: dilinger-guest
Date: 2005-03-14 10:56:36 +0100 (Mon, 14 Mar 2005)
New Revision: 2702

Added:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
Log:
  * [SECURITY] 109-binfmt_elf_loader_solar_designer_fixes.dpatch
    Fix from Solar Designer; the binfmt_elf load routines are returning
    incorrect values, and are not strict enough in checking the number of
    program headers (Andres Salomon).


Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-03-14 09:21:29 UTC (rev 2701)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-03-14 09:56:36 UTC (rev 2702)
@@ -76,6 +76,11 @@
   * nls-table-overflow.dpatch: [CAN-2005-0177] NLS ASCII table should be 256
     entries, not 128! (Joshua Kwan)
 
+  * [SECURITY] 109-binfmt_elf_loader_solar_designer_fixes.dpatch
+    Fix from Solar Designer; the binfmt_elf load routines are returning
+    incorrect values, and are not strict enough in checking the number of
+    program headers (Andres Salomon).
+
  -- Joshua Kwan <joshk@triplehelix.org>  Mon, 14 Mar 2005 00:03:12 -0800
 
 kernel-source-2.6.8 (2.6.8-13) unstable; urgency=high

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch	2005-03-14 09:21:29 UTC (rev 2701)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch	2005-03-14 09:56:36 UTC (rev 2702)
@@ -0,0 +1,101 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] binfmt_elf fix return error codes and early corrupt binary detection
+## DP: Patch author: marcelo.tosatti@cyclades.com
+## DP: Upstream status: backport
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/11 19:18:34-08:00 marcelo.tosatti@cyclades.com 
+#   [PATCH] binfmt_elf fix return error codes and early corrupt binary detection
+#   
+#   With Solar Designer <solar@openwall.com>
+#   
+#   The following patch changes the following on ELF parsing/loading code
+#   (fs/binfmt_elf):
+#   
+#   - Stronger validity checks on ELF files:
+#           treat e_phnum (program header count) < 1 as invalid
+#           treat p_filesz (file size) < 2 invalid on program header interp. case
+#    - Saner return error codes
+#    - Make sure SIGKILL is delivered on error handling
+#   
+#   
+#   Signed-off-by: Andrew Morton <akpm@osdl.org>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# fs/binfmt_elf.c
+#   2005/01/11 16:42:58-08:00 marcelo.tosatti@cyclades.com +13 -8
+#   binfmt_elf fix return error codes and early corrupt binary detection
+# 
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c	2005-02-14 04:59:06 -08:00
++++ b/fs/binfmt_elf.c	2005-02-14 04:59:06 -08:00
+@@ -322,7 +322,8 @@
+ 	 */
+ 	if (interp_elf_ex->e_phentsize != sizeof(struct elf_phdr))
+ 		goto out;
+-	if (interp_elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
++	if (interp_elf_ex->e_phnum < 1 ||
++		interp_elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
+ 		goto out;
+ 
+ 	/* Now read in all of the header information */
+@@ -524,12 +525,13 @@
+ 
+ 	/* Now read in all of the header information */
+ 
+-	retval = -ENOMEM;
+ 	if (elf_ex.e_phentsize != sizeof(struct elf_phdr))
+ 		goto out;
+-	if (elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
++	if (elf_ex.e_phnum < 1 ||
++	 	elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
+ 		goto out;
+ 	size = elf_ex.e_phnum * sizeof(struct elf_phdr);
++	retval = -ENOMEM;
+ 	elf_phdata = (struct elf_phdr *) kmalloc(size, GFP_KERNEL);
+ 	if (!elf_phdata)
+ 		goto out;
+@@ -575,10 +577,12 @@
+ 			 * is an a.out format binary
+ 			 */
+ 
+-			retval = -ENOMEM;
++			retval = -ENOEXEC;
+ 			if (elf_ppnt->p_filesz > PATH_MAX || 
+-			    elf_ppnt->p_filesz == 0)
++			    elf_ppnt->p_filesz < 2)
+ 				goto out_free_file;
++
++			retval = -ENOMEM;
+ 			elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz,
+ 							   GFP_KERNEL);
+ 			if (!elf_interpreter)
+@@ -593,7 +597,7 @@
+ 				goto out_free_interp;
+ 			}
+ 			/* make sure path is NULL terminated */
+-			retval = -EINVAL;
++			retval = -ENOEXEC;
+ 			if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
+ 				goto out_free_interp;
+ 
+@@ -868,8 +872,9 @@
+ 						    interpreter,
+ 						    &interp_load_addr);
+ 		if (BAD_ADDR(elf_entry)) {
+-			printk(KERN_ERR "Unable to load interpreter\n");
+-			send_sig(SIGSEGV, current, 0);
++			printk(KERN_ERR "Unable to load interpreter %.128s\n",
++				elf_interpreter);
++			force_sig(SIGSEGV, current);
+ 			retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+ 			goto out_free_dentry;
+ 		}

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14	2005-03-14 09:21:29 UTC (rev 2701)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14	2005-03-14 09:56:36 UTC (rev 2702)
@@ -22,3 +22,4 @@
 + fs-eventpoll-overflow-fix.dpatch
 + nfs-O_DIRECT-fix.dpatch
 + sparc-sunsab-serial-lockup.dpatch
++ 109-binfmt_elf_loader_solar_designer_fixes.dpatch