r3149 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Simon Horman horms@costa.debian.org
Thu, 19 May 2005 06:17:21 +0000 

Author: horms
Date: 2005-05-19 06:17:20 +0000 (Thu, 19 May 2005)
New Revision: 3149

Added:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
Log:
[SECURITY] Fix root hole in raw device. See CAN-2005-1264.

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-05-19 06:17:20 UTC (rev 3149)
@@ -149,8 +149,12 @@
     Linux kernel ELF core dump privilege elevation
     See CAN-2005-1263. (closes: #308634, #308724, #308855). (Simon Horman)
 
- -- Simon Horman <horms@debian.org>  Thu, 12 May 2005 16:25:40 +0900
+  * drivers-block-raw-ioctl.dpatch:
+    [SECURITY] Fix root hole in raw device. See CAN-2005-1264.
+    (closes: #309429) (Simon Horman)
 
+ -- Simon Horman <horms@debian.org>  Thu, 19 May 2005 15:16:22 +0900
+
 kernel-source-2.6.8 (2.6.8-15) unstable; urgency=high
 
   * [Security] Fix race in radeon driver which can result

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch	2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/drivers-block-raw-ioctl.dpatch	2005-05-19 06:17:20 UTC (rev 3149)
@@ -0,0 +1,59 @@
+branch_url rsync://rsync.kernel.org/pub/scm/linux/kernel/git/gregkh/linux-2.6.11.y.git
+tree 4874ca9b8bc470148e1ec9b9f89001da6d3f5000
+parent b23b1dc851540dd0580251d98f6b9993779904e4
+author Dave Jones <davej@redhat.com> 1116041479 -0400
+committer Greg KH <gregkh@suse.de> 1116265334 -0700
+
+[PATCH] Fix root hole in raw device
+
+[Patch] Fix raw device ioctl pass-through
+
+Raw character devices are supposed to pass ioctls through to the block
+devices they are bound to.  Unfortunately, they are using the wrong
+function for this: ioctl_by_bdev(), instead of blkdev_ioctl().
+
+ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl,
+redirecting the user-space buffer access to the kernel address space.
+This is, needless to say, a bad thing.
+
+This was noticed first on s390, where raw IO was non-functioning.  The
+s390 driver config does not actually allow raw IO to be enabled, which
+was the first part of the problem.  Secondly, the s390 kernel address
+space is distinct from user, causing legal raw ioctls to fail.  I've
+reproduced this on a kernel built with 4G:4G split on x86, which fails
+in the same way (-EFAULT if the address does not exist kernel-side;
+returns success without actually populating the user buffer if it does.)
+
+The patch below fixes both the config and address-space problems.  It's
+based closely on a patch by Jan Glauber <jang@de.ibm.com>, which has
+been tested on s390 at IBM.  I've tested it on x86 4G:4G (split address
+space) and x86_64 (common address space).
+
+Kernel-address-space access has been assigned CAN-2005-1264.
+
+Signed-off-by: Stephen Tweedie <sct@redhat.com>
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Index: drivers/block/ioctl.c
+===================================================================
+--- d4348b474184a15ab5ff9da8005e0d0eb8681bd1/drivers/block/ioctl.c  (mode:100644)
++++ 4874ca9b8bc470148e1ec9b9f89001da6d3f5000/drivers/block/ioctl.c  (mode:100644)
+@@ -237,3 +237,5 @@
+ 	}
+ 	return ret;
+ }
++
++EXPORT_SYMBOL_GPL(blkdev_ioctl);
+Index: drivers/char/raw.c
+===================================================================
+--- d4348b474184a15ab5ff9da8005e0d0eb8681bd1/drivers/char/raw.c  (mode:100644)
++++ 4874ca9b8bc470148e1ec9b9f89001da6d3f5000/drivers/char/raw.c  (mode:100644)
+@@ -122,7 +122,7 @@
+ {
+ 	struct block_device *bdev = filp->private_data;
+ 
+-	return ioctl_by_bdev(bdev, command, arg);
++	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
+ }
+ 
+ static void bind_device(struct raw_config_request *rq)

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16	2005-05-19 01:01:40 UTC (rev 3148)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16	2005-05-19 06:17:20 UTC (rev 3149)
@@ -34,3 +34,4 @@
 + drivers-i2c-sysfs-permisions.dpatch
 + net-ipv4-fib_hash-crash.dpatch
 + fs-binfmt_elf-dump-privelage.dpatch
++ drivers-block-raw-ioctl.dpatch