r2859 - in trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Wed, 30 Mar 2005 08:55:58 +0000
Author: horms
Date: 2005-03-30 08:55:57 +0000 (Wed, 30 Mar 2005)
New Revision: 2859
Added:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-binfmt_elf-dos.patch
Modified:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2
Log:
Potential DOS in load_elf_library. o CAN number available at this time.
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-03-30 06:10:06 UTC (rev 2858)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-03-30 08:55:57 UTC (rev 2859)
@@ -29,8 +29,13 @@
and arbitary code execution. See CAN-2005-0815
(Simon Horman)
- -- Simon Horman <horms@debian.org> Tue, 29 Mar 2005 18:39:45 +0900
+ * fs-binfmt_elf-dos.patch:
+ Potential DOS in load_elf_library.
+ No CAN number available at this time.
+ (Simon Horman)
+ -- Simon Horman <horms@debian.org> Wed, 30 Mar 2005 17:55:02 +0900
+
kernel-source-2.6.11 (2.6.11-1) unstable; urgency=low
* Initial 2.6.11 kernel-source creation (Sven Luther)
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-binfmt_elf-dos.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-binfmt_elf-dos.patch 2005-03-30 06:10:06 UTC (rev 2858)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/fs-binfmt_elf-dos.patch 2005-03-30 08:55:57 UTC (rev 2859)
@@ -0,0 +1,113 @@
+# origin: akpm (BitKeeper)
+# cset: 1.1982.163.37 (2.6) key=4244bffczprEXYXBhd4oTqo8WoMTGQ
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4244bffczprEXYXBhd4oTqo8WoMTGQ
+# inclusion: upstream
+# descrition: [PATCH] Potential DOS in load_elf_library
+# revision date: Wed, 30 Mar 2005 17:50:26 +0900
+#
+# S rset: ChangeSet|1.1982.163.36..1.1982.163.37
+# I rset: fs/binfmt_elf.c|1.103..1.103.2.1
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:50:52-08:00 akpm@osdl.org
+# [PATCH] Potential DOS in load_elf_library
+#
+# From: Herbert Xu <herbert@gondor.apana.org.au>
+#
+# Yichen Xie <yxie@cs.stanford.edu> points out that load_elf_library can
+# modify `elf_phdata' before freeing it.
+#
+# CAN-2005-0749 is assigned to this issue.
+#
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# fs/binfmt_elf.c
+# 2005/03/20 16:56:41-08:00 akpm@osdl.org +17 -13
+# Potential DOS in load_elf_library
+#
+#
+===== fs/binfmt_elf.c 1.103 vs 1.103.2.1 =====
+--- 1.103/fs/binfmt_elf.c 2005-02-26 06:17:34 +09:00
++++ 1.103.2.1/fs/binfmt_elf.c 2005-03-21 09:56:41 +09:00
+@@ -1008,6 +1008,7 @@ out_free_ph:
+ static int load_elf_library(struct file *file)
+ {
+ struct elf_phdr *elf_phdata;
++ struct elf_phdr *eppnt;
+ unsigned long elf_bss, bss, len;
+ int retval, error, i, j;
+ struct elfhdr elf_ex;
+@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file
+ /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
+
+ error = -ENOMEM;
+- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
++ elf_phdata = kmalloc(j, GFP_KERNEL);
+ if (!elf_phdata)
+ goto out;
+
++ eppnt = elf_phdata;
+ error = -ENOEXEC;
+- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
++ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
+ if (retval != j)
+ goto out_free_ph;
+
+ for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
+- if ((elf_phdata + i)->p_type == PT_LOAD) j++;
++ if ((eppnt + i)->p_type == PT_LOAD)
++ j++;
+ if (j != 1)
+ goto out_free_ph;
+
+- while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
++ while (eppnt->p_type != PT_LOAD)
++ eppnt++;
+
+ /* Now use mmap to map the library into memory. */
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap(file,
+- ELF_PAGESTART(elf_phdata->p_vaddr),
+- (elf_phdata->p_filesz +
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
++ ELF_PAGESTART(eppnt->p_vaddr),
++ (eppnt->p_filesz +
++ ELF_PAGEOFFSET(eppnt->p_vaddr)),
+ PROT_READ | PROT_WRITE | PROT_EXEC,
+ MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
+- (elf_phdata->p_offset -
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
++ (eppnt->p_offset -
++ ELF_PAGEOFFSET(eppnt->p_vaddr)));
+ up_write(¤t->mm->mmap_sem);
+- if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
++ if (error != ELF_PAGESTART(eppnt->p_vaddr))
+ goto out_free_ph;
+
+- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
++ elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
+ if (padzero(elf_bss)) {
+ error = -EFAULT;
+ goto out_free_ph;
+ }
+
+- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
++ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
++ bss = eppnt->p_memsz + eppnt->p_vaddr;
+ if (bss > len) {
+ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2 2005-03-30 06:10:06 UTC (rev 2858)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2 2005-03-30 08:55:57 UTC (rev 2859)
@@ -7,4 +7,4 @@
+ fs-isofs-range-check-1.patch
+ fs-isofs-range-check-2.patch
+ fs-isofs-range-check-3.patch
-
++ fs-binfmt_elf-dos.patch