r3149 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Thu, 19 May 2005 06:17:21 +0000
Author: horms
Date: 2005-05-19 06:17:20 +0000 (Thu, 19 May 2005)
New Revision: 3149
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
Log:
[SECURITY] Fix root hole in raw device. See CAN-2005-1264.
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-05-19 06:17:20 UTC (rev 3149)
@@ -149,8 +149,12 @@
Linux kernel ELF core dump privilege elevation
See CAN-2005-1263. (closes: #308634, #308724, #308855). (Simon Horman)
- -- Simon Horman <horms@debian.org> Thu, 12 May 2005 16:25:40 +0900
+ * drivers-block-raw-ioctl.dpatch:
+ [SECURITY] Fix root hole in raw device. See CAN-2005-1264.
+ (closes: #309429) (Simon Horman)
+ -- Simon Horman <horms@debian.org> Thu, 19 May 2005 15:16:22 +0900
+
kernel-source-2.6.8 (2.6.8-15) unstable; urgency=high
* [Security] Fix race in radeon driver which can result
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch 2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch 2005-05-19 06:17:20 UTC (rev 3149)
@@ -0,0 +1,59 @@
+branch_url rsync://rsync.kernel.org/pub/scm/linux/kernel/git/gregkh/linux-2.6.11.y.git
+tree 4874ca9b8bc470148e1ec9b9f89001da6d3f5000
+parent b23b1dc851540dd0580251d98f6b9993779904e4
+author Dave Jones <davej@redhat.com> 1116041479 -0400
+committer Greg KH <gregkh@suse.de> 1116265334 -0700
+
+[PATCH] Fix root hole in raw device
+
+[Patch] Fix raw device ioctl pass-through
+
+Raw character devices are supposed to pass ioctls through to the block
+devices they are bound to. Unfortunately, they are using the wrong
+function for this: ioctl_by_bdev(), instead of blkdev_ioctl().
+
+ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl,
+redirecting the user-space buffer access to the kernel address space.
+This is, needless to say, a bad thing.
+
+This was noticed first on s390, where raw IO was non-functioning. The
+s390 driver config does not actually allow raw IO to be enabled, which
+was the first part of the problem. Secondly, the s390 kernel address
+space is distinct from user, causing legal raw ioctls to fail. I've
+reproduced this on a kernel built with 4G:4G split on x86, which fails
+in the same way (-EFAULT if the address does not exist kernel-side;
+returns success without actually populating the user buffer if it does.)
+
+The patch below fixes both the config and address-space problems. It's
+based closely on a patch by Jan Glauber <jang@de.ibm.com>, which has
+been tested on s390 at IBM. I've tested it on x86 4G:4G (split address
+space) and x86_64 (common address space).
+
+Kernel-address-space access has been assigned CAN-2005-1264.
+
+Signed-off-by: Stephen Tweedie <sct@redhat.com>
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Index: drivers/block/ioctl.c
+===================================================================
+--- d4348b474184a15ab5ff9da8005e0d0eb8681bd1/drivers/block/ioctl.c (mode:100644)
++++ 4874ca9b8bc470148e1ec9b9f89001da6d3f5000/drivers/block/ioctl.c (mode:100644)
+@@ -237,3 +237,5 @@
+ }
+ return ret;
+ }
++
++EXPORT_SYMBOL_GPL(blkdev_ioctl);
+Index: drivers/char/raw.c
+===================================================================
+--- d4348b474184a15ab5ff9da8005e0d0eb8681bd1/drivers/char/raw.c (mode:100644)
++++ 4874ca9b8bc470148e1ec9b9f89001da6d3f5000/drivers/char/raw.c (mode:100644)
+@@ -122,7 +122,7 @@
+ {
+ struct block_device *bdev = filp->private_data;
+
+- return ioctl_by_bdev(bdev, command, arg);
++ return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
+ }
+
+ static void bind_device(struct raw_config_request *rq)
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16 2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16 2005-05-19 06:17:20 UTC (rev 3149)
@@ -34,3 +34,4 @@
+ drivers-i2c-sysfs-permisions.dpatch
+ net-ipv4-fib_hash-crash.dpatch
+ fs-binfmt_elf-dump-privelage.dpatch
++ drivers-block-raw-ioctl.dpatch