r2855 - trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches
Simon Horman
horms@costa.debian.org
Tue, 29 Mar 2005 10:07:13 +0000
Author: horms
Date: 2005-03-29 10:07:12 +0000 (Tue, 29 Mar 2005)
New Revision: 2855
Added:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/drivers-input-serio-nmouse.patch
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-ext2-info-leak.patch
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-1.patch
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-2.patch
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-3.patch
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-bluetooth-signdness-fix.patch
Log:
* drivers-input-serio-nmouse.patch:
[Security] fix N_MOUSE TTY privelage problem. See CAN-2005-0839
(Simon Horman) (closes: #301372)
* net-bluetooth-signdness-fix.patch:
[Security] Fix signedness problem at socket creation in bluetooth
which can lead to local root exploit. See CAN-2005-0750
(Simon Horman)
* fs-ext2-info-leak.patch:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400
(Simon Horman)
* fs-isofs-range-check-1.patch, fs-isofs-range-check-2.patch,
fs-isofs-range-check-3.patch:
[Security] Fix range checking in isofs which leads to a local crash
and arbitary code execution. See CAN-2005-0815
(Simon Horman)
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/drivers-input-serio-nmouse.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/drivers-input-serio-nmouse.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/drivers-input-serio-nmouse.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,46 @@
+# origin: vojtech (BitKeeper)
+# cset: 1.1977.1.2 (2.6) key=41fa6464E1UuGu6zmketEYxm73KSyQ
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@41fa6464E1UuGu6zmketEYxm73KSyQ
+# inclusion: upstream
+# descrition: input: Only root should be able to set the N_MOUSE line discipline.
+# revision date: Mon, 28 Mar 2005 17:31:58 +0900
+#
+# S rset: ChangeSet|1.1977.1.1..1.1977.1.2
+# I rset: drivers/input/serio/serport.c|1.22..1.23
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/28 17:12:20+01:00 vojtech@suse.cz
+# input: Only root should be able to set the N_MOUSE line discipline.
+#
+# Signed-off-by: Vojtech Pavlik <vojtech@suse.cz>
+#
+# drivers/input/serio/serport.c
+# 2005/01/28 17:12:14+01:00 vojtech@suse.cz +3 -0
+# input: Only root should be able to set the N_MOUSE line discipline.
+#
+#
+===== drivers/input/serio/serport.c 1.22 vs 1.23 =====
+--- 1.22/drivers/input/serio/serport.c 2004-10-22 02:03:22 +09:00
++++ 1.23/drivers/input/serio/serport.c 2005-01-29 01:12:14 +09:00
+@@ -64,6 +64,9 @@ static int serport_ldisc_open(struct tty
+ struct serio *serio;
+ char name[64];
+
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
+ serport = kmalloc(sizeof(struct serport), GFP_KERNEL);
+ serio = kmalloc(sizeof(struct serio), GFP_KERNEL);
+ if (unlikely(!serport || !serio)) {
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-ext2-info-leak.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-ext2-info-leak.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-ext2-info-leak.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,54 @@
+# origin: mlafon (BitKeeper)
+# cset: 1.1982.161.36 (2.6) key=4244bfc9vHVlT4nv2o4ys4_sf6vzKA
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4244bfc9vHVlT4nv2o4ys4_sf6vzKA
+# inclusion: upstream
+# descrition: [PATCH] Suspected information leak (mem pages) in ext2
+# revision date: Mon, 28 Mar 2005 18:40:00 +0900
+#
+# S rset: ChangeSet|1.1982.161.35..1.1982.161.36
+# I rset: fs/ext2/dir.c|1.27..1.28
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:50:01-08:00 mlafon@arkoon.net
+# [PATCH] Suspected information leak (mem pages) in ext2
+#
+# From: "Mathieu Lafon" <mlafon@arkoon.net>
+#
+# I think I have discovered a potential security problem in ext2: when a
+# new directory is created, the ext2 block written to disk is not
+# initialized.
+#
+# Included is a proposed patch for Linux 2.6 (ext2_make_empty() function):
+#
+# CAN-2005-0400 is assigned to this issue.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# fs/ext2/dir.c
+# 2005/03/16 10:17:01-08:00 mlafon@arkoon.net +1 -0
+# Suspected information leak (mem pages) in ext2
+#
+#
+===== fs/ext2/dir.c 1.27 vs 1.28 =====
+--- 1.27/fs/ext2/dir.c 2005-01-05 11:48:14 +09:00
++++ 1.28/fs/ext2/dir.c 2005-03-17 03:17:01 +09:00
+@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
+ goto fail;
+ }
+ kaddr = kmap_atomic(page, KM_USER0);
++ memset(kaddr, 0, chunk_size);
+ de = (struct ext2_dir_entry_2 *)kaddr;
+ de->name_len = 1;
+ de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-1.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-1.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-1.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,132 @@
+# origin: torvalds (BitKeeper)
+# cset: 1.1982.161.32 (2.6) key=4244be82bvD-_7wwLkYa0visB12aEw
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4244be82bvD-_7wwLkYa0visB12aEw
+# inclusion: upstream
+# descrition: [PATCH] isofs: Handle corupted rock-ridge info slightly better
+# revision date: Mon, 28 Mar 2005 18:48:57 +0900
+#
+# S rset: ChangeSet|1.1982.161.31..1.1982.161.32
+# I rset: fs/isofs/rock.c|1.22..1.22.1.1
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:44:34-08:00 torvalds@osdl.org
+# [PATCH] isofs: Handle corupted rock-ridge info slightly better
+#
+# Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
+# iso9660 filesystem.
+#
+# http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
+#
+# CAN-2005-0815 is assigned to this issue.
+#
+# From: Linus Torvalds <torvalds@osdl.org>
+#
+# isofs: Handle corupted rock-ridge info slightly better.
+#
+# Keyword here being 'slightly'. The code is a mess.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# fs/isofs/rock.c
+# 2005/03/25 15:25:50-08:00 torvalds@osdl.org +14 -7
+# isofs: Handle corupted rock-ridge info slightly better
+#
+#
+===== fs/isofs/rock.c 1.22 vs 1.22.1.1 =====
+--- 1.22/fs/isofs/rock.c 2004-09-10 17:47:00 +09:00
++++ 1.22.1.1/fs/isofs/rock.c 2005-03-26 08:25:50 +09:00
+@@ -53,6 +53,7 @@
+ if(LEN & 1) LEN++; \
+ CHR = ((unsigned char *) DE) + LEN; \
+ LEN = *((unsigned char *) DE) - LEN; \
++ if (LEN<0) LEN=0; \
+ if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
+ { \
+ LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
+@@ -103,12 +104,13 @@ int get_rock_ridge_filename(struct iso_d
+ struct rock_ridge * rr;
+ int sig;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ case SIG('R','R'):
+@@ -122,6 +124,7 @@ int get_rock_ridge_filename(struct iso_d
+ break;
+ case SIG('N','M'):
+ if (truncate) break;
++ if (rr->len < 5) break;
+ /*
+ * If the flags are 2 or 4, this indicates '.' or '..'.
+ * We don't want to do anything with this, because it
+@@ -186,12 +189,13 @@ parse_rock_ridge_inode_internal(struct i
+ struct rock_ridge * rr;
+ int rootflag;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
+@@ -462,7 +466,7 @@ static int rock_ridge_symlink_readpage(s
+ struct rock_ridge *rr;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+- panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
++ goto error;
+
+ block = ei->i_iget5_block;
+ lock_kernel();
+@@ -487,13 +491,15 @@ static int rock_ridge_symlink_readpage(s
+ SETUP_ROCK_RIDGE(raw_inode, chr, len);
+
+ repeat:
+- while (len > 1) { /* There may be one byte for padding somewhere */
++ while (len > 2) { /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0)
++ if (rr->len < 3)
+ goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0)
++ goto out; /* corrupted isofs */
+
+ switch (sig) {
+ case SIG('R', 'R'):
+@@ -543,6 +549,7 @@ static int rock_ridge_symlink_readpage(s
+ fail:
+ brelse(bh);
+ unlock_kernel();
++ error:
+ SetPageError(page);
+ kunmap(page);
+ unlock_page(page);
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-2.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-2.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-2.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,59 @@
+# origin: chrisw (BitKeeper)
+# cset: 1.1982.161.34 (2.6) key=4244bedbODYVU4s1YAGRvZSt28TAgA
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4244bedbODYVU4s1YAGRvZSt28TAgA
+# inclusion: upstream
+# descrition: [PATCH] isofs: more defensive checks against corrupt isofs images
+# revision date: Mon, 28 Mar 2005 18:49:17 +0900
+#
+# S rset: ChangeSet|1.1982.161.33..1.1982.161.34
+# I rset: fs/isofs/rock.c|1.22.1.1..1.22.1.2
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:46:03-08:00 chrisw@osdl.org
+# [PATCH] isofs: more defensive checks against corrupt isofs images
+#
+# Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
+# iso9660 filesystem.
+#
+# http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
+#
+# CAN-2005-0815 is assigned to this issue.
+#
+# Some more defensive checks to keep corrupt isofs images from corrupting
+# memory or causing Oops.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# ===== fs/isofs/rock.c 1.23 vs edited =====
+#
+# fs/isofs/rock.c
+# 2005/03/24 00:41:31-08:00 chrisw@osdl.org +4 -0
+# isofs: more defensive checks against corrupt isofs images
+#
+#
+===== fs/isofs/rock.c 1.22.1.1 vs 1.22.1.2 =====
+--- 1.22.1.1/fs/isofs/rock.c 2005-03-26 08:25:50 +09:00
++++ 1.22.1.2/fs/isofs/rock.c 2005-03-24 17:41:31 +09:00
+@@ -74,6 +74,10 @@
+ offset1 = 0; \
+ pbh = sb_bread(DEV->i_sb, block); \
+ if(pbh){ \
++ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
++ brelse(pbh); \
++ goto out; \
++ } \
+ memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
+ brelse(pbh); \
+ chr = (unsigned char *) buffer; \
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-3.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-3.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-isofs-range-check-3.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,57 @@
+# origin: torvalds (BitKeeper)
+# cset: 1.2199.1.21 (2.6) key=4239dad1BWUxd4WEx388lwZCb05Q0Q
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4239dad1BWUxd4WEx388lwZCb05Q0Q
+# inclusion: upstream
+# descrition: isofs: more "corrupted iso image" error cases
+# revision date: Mon, 28 Mar 2005 18:47:06 +0900
+#
+# S rset: ChangeSet|1.2199.1.20..1.2199.1.21
+# I rset: fs/isofs/inode.c|1.47..1.48
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/17 11:30:25-08:00 torvalds@ppc970.osdl.org
+# isofs: more "corrupted iso image" error cases
+#
+# Thanks to Michal Zalewski for testing.
+#
+# fs/isofs/inode.c
+# 2005/03/17 11:30:15-08:00 torvalds@ppc970.osdl.org +5 -0
+# isofs: more "corrupted iso image" error cases
+#
+# Thanks to Michal Zalewski for testing.
+#
+#
+===== fs/isofs/inode.c 1.47 vs 1.48 =====
+--- 1.47/fs/isofs/inode.c 2004-08-24 18:08:57 +09:00
++++ 1.48/fs/isofs/inode.c 2005-03-18 04:30:15 +09:00
+@@ -685,6 +685,8 @@ root_found:
+ sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
+ sbi->s_max_size = isonum_733(h_pri->volume_space_size);
+ } else {
++ if (!pri)
++ goto out_freebh;
+ rootp = (struct iso_directory_record *) pri->root_directory_record;
+ sbi->s_nzones = isonum_733 (pri->volume_space_size);
+ sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
+@@ -1394,6 +1396,9 @@ struct inode *isofs_iget(struct super_bl
+ unsigned long hashval;
+ struct inode *inode;
+ struct isofs_iget5_callback_data data;
++
++ if (offset >= 1ul << sb->s_blocksize_bits)
++ return NULL;
+
+ data.block = block;
+ data.offset = offset;
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-bluetooth-signdness-fix.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-bluetooth-signdness-fix.patch 2005-03-29 10:06:32 UTC (rev 2854)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/net-bluetooth-signdness-fix.patch 2005-03-29 10:07:12 UTC (rev 2855)
@@ -0,0 +1,66 @@
+# origin: marcel (BitKeeper)
+# cset: 1.2199.13.4 (2.6) key=42434cb6P-Rg7wMdQU1Avi76lj14Zg
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@42434cb6P-Rg7wMdQU1Avi76lj14Zg
+# inclusion: upstream
+# descrition: [Bluetooth] Fix signedness problem at socket creation
+# revision date: Mon, 28 Mar 2005 18:31:41 +0900
+#
+# S rset: ChangeSet|1.2199.13.3..1.2199.13.4
+# I rset: net/bluetooth/af_bluetooth.c|1.40..1.41
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 00:26:46+01:00 marcel@holtmann.org
+# [Bluetooth] Fix signedness problem at socket creation
+#
+# This patch fixes a small signedness problem when creating the
+# socket.
+#
+# Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+#
+# net/bluetooth/af_bluetooth.c
+# 2005/03/25 00:23:06+01:00 marcel@holtmann.org +3 -3
+# Fix signedness problem at socket creation
+#
+#
+===== net/bluetooth/af_bluetooth.c 1.40 vs 1.41 =====
+--- 1.40/net/bluetooth/af_bluetooth.c 2005-03-18 23:07:22 +09:00
++++ 1.41/net/bluetooth/af_bluetooth.c 2005-03-25 08:23:06 +09:00
+@@ -62,7 +62,7 @@ static struct net_proto_family *bt_proto
+
+ int bt_sock_register(int proto, struct net_proto_family *ops)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (bt_proto[proto])
+@@ -75,7 +75,7 @@ EXPORT_SYMBOL(bt_sock_register);
+
+ int bt_sock_unregister(int proto)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (!bt_proto[proto])
+@@ -90,7 +90,7 @@ static int bt_sock_create(struct socket
+ {
+ int err = 0;
+
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ #if defined(CONFIG_KMOD)