r2860 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Wed, 30 Mar 2005 09:25:14 +0000
Author: horms
Date: 2005-03-30 09:25:13 +0000 (Wed, 30 Mar 2005)
New Revision: 2860
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-binfmt_elf-dos.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
Log:
Potential DOS in load_elf_library. o CAN number available at this time.
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-03-30 08:55:57 UTC (rev 2859)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-03-30 09:25:13 UTC (rev 2860)
@@ -33,8 +33,13 @@
CVE yet to be assigned.
(Simon Horman)
- -- Simon Horman <horms@debian.org> Mon, 28 Mar 2005 19:03:38 +0900
+ * fs-binfmt_elf-dos.dpatch:
+ Potential DOS in load_elf_library.
+ No CAN number available at this time.
+ (Simon Horman)
+ -- Simon Horman <horms@debian.org> Wed, 30 Mar 2005 18:09:06 +0900
+
kernel-source-2.6.8 (2.6.8-15) unstable; urgency=high
* [Security] Fix race in radeon driver which can result
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-binfmt_elf-dos.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-binfmt_elf-dos.dpatch 2005-03-30 08:55:57 UTC (rev 2859)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-binfmt_elf-dos.dpatch 2005-03-30 09:25:13 UTC (rev 2860)
@@ -0,0 +1,109 @@
+# origin: akpm (BitKeeper)
+# cset: 1.1982.163.37 (2.6) key=4244bffczprEXYXBhd4oTqo8WoMTGQ
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@4244bffczprEXYXBhd4oTqo8WoMTGQ
+# inclusion: upstream
+# descrition: [PATCH] Potential DOS in load_elf_library
+# revision date: Wed, 30 Mar 2005 17:50:26 +0900
+#
+# S rset: ChangeSet|1.1982.163.36..1.1982.163.37
+# R rset: fs/binfmt_elf.c|1.103..1.103.2.1
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/25 17:50:52-08:00 akpm@osdl.org
+# [PATCH] Potential DOS in load_elf_library
+#
+# From: Herbert Xu <herbert@gondor.apana.org.au>
+#
+# Yichen Xie <yxie@cs.stanford.edu> points out that load_elf_library can
+# modify `elf_phdata' before freeing it.
+#
+# CAN-2005-0749 is assigned to this issue.
+#
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# fs/binfmt_elf.c
+# 2005/03/20 16:56:41-08:00 akpm@osdl.org +17 -13
+# Potential DOS in load_elf_library
+#
+#
+--- a/fs/binfmt_elf.c 2005-03-30 18:12:18.000000000 +0900
++++ b/fs/binfmt_elf.c 2005-03-30 18:18:18.000000000 +0900
+@@ -968,6 +968,7 @@ out_free_ph:
+ static int load_elf_library(struct file *file)
+ {
+ struct elf_phdr *elf_phdata;
++ struct elf_phdr *eppnt;
+ unsigned long elf_bss, bss, len;
+ int retval, error, i, j;
+ struct elfhdr elf_ex;
+@@ -991,41 +992,44 @@ static int load_elf_library(struct file
+ /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
+
+ error = -ENOMEM;
+- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
++ elf_phdata = kmalloc(j, GFP_KERNEL);
+ if (!elf_phdata)
+ goto out;
+
++ eppnt = elf_phdata;
+ error = -ENOEXEC;
+- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
++ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
+ if (retval != j)
+ goto out_free_ph;
+
+ for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
+- if ((elf_phdata + i)->p_type == PT_LOAD) j++;
++ if ((eppnt + i)->p_type == PT_LOAD)
++ j++;
+ if (j != 1)
+ goto out_free_ph;
+
+- while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
++ while (eppnt->p_type != PT_LOAD)
++ eppnt++;
+
+ /* Now use mmap to map the library into memory. */
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap(file,
+- ELF_PAGESTART(elf_phdata->p_vaddr),
+- (elf_phdata->p_filesz +
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
++ ELF_PAGESTART(eppnt->p_vaddr),
++ (eppnt->p_filesz +
++ ELF_PAGEOFFSET(eppnt->p_vaddr)),
+ PROT_READ | PROT_WRITE | PROT_EXEC,
+ MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
+- (elf_phdata->p_offset -
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
++ (eppnt->p_offset -
++ ELF_PAGEOFFSET(eppnt->p_vaddr)));
+ up_write(¤t->mm->mmap_sem);
+- if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
++ if (error != ELF_PAGESTART(eppnt->p_vaddr))
+ goto out_free_ph;
+
+- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
++ elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
+ padzero(elf_bss);
+
+- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
++ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
++ bss = eppnt->p_memsz + eppnt->p_vaddr;
+ if (bss > len) {
+ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16 2005-03-30 08:55:57 UTC (rev 2859)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16 2005-03-30 09:25:13 UTC (rev 2860)
@@ -7,3 +7,4 @@
+ fs-isofs-range-check-2.dpatch
+ fs-isofs-range-check-3.dpatch
+ mm-shmem-truncate.dpatch
++ fs-binfmt_elf-dos.dpatch