r4316 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Simon Horman
horms at costa.debian.org
Thu Oct 6 09:55:05 UTC 2005
Author: horms
Date: 2005-10-06 09:55:04 +0000 (Thu, 06 Oct 2005)
New Revision: 4316
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* lost-fput-in-32bit-ioctl-on-x86-64.patch
[SECURITY] lost fput in 32bit ioctl on x86-6; local DoS4
From 2.6.13.2
* lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
[SECURITY] lost sockfd_put() in routing_ioctl(); local DoS
From 2.6.13.2
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-10-06 09:55:04 UTC (rev 4316)
@@ -47,12 +47,24 @@
[SECURITY] Fix SKB leak in ip6_input_finish(); local DoS.
From 2.6.12.6
+ * sendmsg-stackoverflow.dpatch
+ [SECUURITY] 32bit sendmsg() flaw. See CAN-2005-2490
+ From 2.6.13.1
+
+ * lost-fput-in-32bit-ioctl-on-x86-64.patch
+ [SECURITY] lost fput in 32bit ioctl on x86-6; local DoS4
+ From 2.6.13.2
+
+ * lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
+ [SECURITY] lost sockfd_put() in routing_ioctl(); local DoS
+ From 2.6.13.2
+
[ dann frazier ]
* mempolicy-check-mode.dpatch
[SECURITY] Input validation in sys_set_mempolicy(); local DoS.
See CAN-2005-3053
- -- dann frazier <dannf at debian.org> Tue, 27 Sep 2005 15:18:57 -0600
+ -- Simon Horman <horms at debian.org> Thu, 6 Oct 2005 18:37:22 +0900
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch 2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch 2005-10-06 09:55:04 UTC (rev 4316)
@@ -0,0 +1,66 @@
+From chrisw at osdl.org Fri Sep 9 13:05:53 2005
+Date: Fri, 9 Sep 2005 13:05:53 -0700
+From: Chris Wright <chrisw at osdl.org>
+To: Kirill Korotaev <dev at sw.ru>
+Cc: security at kernel.org, Linus Torvalds <torvalds at osdl.org>,
+ Andrew Morton <akpm at osdl.org>, Chris Wright <chrisw at osdl.org>,
+ Maxim Giryaev <gem at sw.ru>
+Subject: [PATCH] lost fput in 32bit ioctl on x86-64
+
+From: Maxim Giryaev <gem at sw.ru>
+
+This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
+
+I believe this is a security issues, since user can fget() file as
+many times as he wants to. So file refcounter can be overlapped and
+first fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc. Also fput() sets f_dentry and
+f_vfsmnt to NULL, so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this is really
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+(chrisw: Update to use fget_light/fput_light)
+
+Signed-Off-By: Kirill Korotaev <dev at sw.ru>
+Signed-Off-By: Maxim Giryaev <gem at sw.ru>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+ arch/x86_64/ia32/ia32_ioctl.c | 17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
++++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+@@ -24,17 +24,26 @@
+ static int tiocgdev(unsigned fd, unsigned cmd, unsigned int __user *ptr)
+ {
+
+- struct file *file = fget(fd);
++ struct file *file;
+ struct tty_struct *real_tty;
++ int fput_needed, ret;
+
++ file = fget_light(fd, &fput_needed);
+ if (!file)
+ return -EBADF;
++
++ ret = -EINVAL;
+ if (file->f_op->ioctl != tty_ioctl)
+- return -EINVAL;
++ goto out;
+ real_tty = (struct tty_struct *)file->private_data;
+ if (!real_tty)
+- return -EINVAL;
+- return put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
++ goto out;
++
++ ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
++
++out:
++ fput_light(file, fput_needed);
++ return ret;
+ }
+
+ #define RTC_IRQP_READ32 _IOR('p', 0x0b, unsigned int) /* Read IRQ rate */
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch 2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch 2005-10-06 09:55:04 UTC (rev 4316)
@@ -0,0 +1,53 @@
+From dev at sw.ru Fri Sep 9 02:55:06 2005
+Date: Fri, 09 Sep 2005 13:59:48 +0400
+From: Kirill Korotaev <dev at sw.ru>
+To: security at kernel.org, Linus Torvalds <torvalds at osdl.org>,
+ Andrew Morton <akpm at osdl.org>, Chris Wright <chrisw at osdl.org>,
+ "Maxim Giryaev" <gem at sw.ru>
+Subject: [PATCH] Lost sockfd_put() in routing_ioctl()
+
+From: "Maxim Giryaev" <gem at sw.ru>
+
+This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
+64bit platforms, bug found by Vasiliy Averin <vvs at sw.ru>.
+
+I believe this is a security issues, since user can fget() file as many
+times as he wants to. So file refcounter can be overlapped and first
+fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc.
+Also fput() sets f_dentry and f_vfsmnt to NULL,
+so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this can be an
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+Signed-Off-By: Kirill Korotaev <dev at sw.ru>
+Signed-Off-By: Maxim Giryaev <gem at sw.ru>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+ fs/compat_ioctl.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/fs/compat_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/fs/compat_ioctl.c
++++ linux-2.6.13.y/fs/compat_ioctl.c
+@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
+ r = (void *) &r4;
+ }
+
+- if (ret)
+- return -EFAULT;
++ if (ret) {
++ ret = -EFAULT;
++ goto out;
++ }
+
+ set_fs (KERNEL_DS);
+ ret = sys_ioctl (fd, cmd, (unsigned long) r);
+ set_fs (old_fs);
+
++out:
+ if (mysock)
+ sockfd_put(mysock);
+
Copied: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch (from rev 4312, dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch)
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 2005-10-06 09:55:04 UTC (rev 4316)
@@ -5,4 +5,7 @@
+ nptl-signal-delivery-deadlock-fix.dpatch
+ fix-memory-leak-in-sg.c-seq_file.dpatch
+ ipv6-skb-leak.dpatch
++ sendmsg-stackoverflow.dpatch
+ mempolicy-check-mode.dpatch
++ lost-fput-in-32bit-ioctl-on-x86-64.dpatch
++ lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch
More information about the Kernel-svn-changes
mailing list