r4316 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Thu Oct 6 09:55:05 UTC 2005

Author: horms
Date: 2005-10-06 09:55:04 +0000 (Thu, 06 Oct 2005)
New Revision: 4316

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
  * lost-fput-in-32bit-ioctl-on-x86-64.patch
    [SECURITY] lost fput in 32bit ioctl on x86-6; local DoS4
    From 2.6.13.2
  
  * lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
    [SECURITY] lost sockfd_put() in routing_ioctl(); local DoS
    From 2.6.13.2



Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-10-06 09:55:04 UTC (rev 4316)
@@ -47,12 +47,24 @@
     [SECURITY] Fix SKB leak in ip6_input_finish(); local DoS.
     From 2.6.12.6
 
+  * sendmsg-stackoverflow.dpatch
+    [SECUURITY] 32bit sendmsg() flaw. See CAN-2005-2490
+    From 2.6.13.1
+
+  * lost-fput-in-32bit-ioctl-on-x86-64.patch
+    [SECURITY] lost fput in 32bit ioctl on x86-6; local DoS4
+    From 2.6.13.2
+
+  * lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
+    [SECURITY] lost sockfd_put() in routing_ioctl(); local DoS
+    From 2.6.13.2
+
   [ dann frazier ]
   * mempolicy-check-mode.dpatch
     [SECURITY] Input validation in sys_set_mempolicy(); local DoS.
     See CAN-2005-3053
 
- -- dann frazier <dannf at debian.org>  Tue, 27 Sep 2005 15:18:57 -0600
+ -- Simon Horman <horms at debian.org>  Thu,  6 Oct 2005 18:37:22 +0900
 
 kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch	2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-fput-in-32bit-ioctl-on-x86-64.dpatch	2005-10-06 09:55:04 UTC (rev 4316)
@@ -0,0 +1,66 @@
+From chrisw at osdl.org  Fri Sep  9 13:05:53 2005
+Date: Fri, 9 Sep 2005 13:05:53 -0700
+From: Chris Wright <chrisw at osdl.org>
+To: Kirill Korotaev <dev at sw.ru>
+Cc: security at kernel.org, Linus Torvalds <torvalds at osdl.org>,
+        Andrew Morton <akpm at osdl.org>, Chris Wright <chrisw at osdl.org>,
+        Maxim Giryaev <gem at sw.ru>
+Subject: [PATCH] lost fput in 32bit ioctl on x86-64
+
+From: Maxim Giryaev <gem at sw.ru>
+
+This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
+
+I believe this is a security issues, since user can fget() file as
+many times as he wants to. So file refcounter can be overlapped and
+first fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc.  Also fput() sets f_dentry and
+f_vfsmnt to NULL, so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this is really
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+(chrisw: Update to use fget_light/fput_light)
+
+Signed-Off-By: Kirill Korotaev <dev at sw.ru>
+Signed-Off-By: Maxim Giryaev <gem at sw.ru>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+ arch/x86_64/ia32/ia32_ioctl.c |   17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
++++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+@@ -24,17 +24,26 @@
+ static int tiocgdev(unsigned fd, unsigned cmd,  unsigned int __user *ptr) 
+ { 
+ 
+-	struct file *file = fget(fd);
++	struct file *file;
+ 	struct tty_struct *real_tty;
++	int fput_needed, ret;
+ 
++	file = fget_light(fd, &fput_needed);
+ 	if (!file)
+ 		return -EBADF;
++
++	ret = -EINVAL;
+ 	if (file->f_op->ioctl != tty_ioctl)
+-		return -EINVAL; 
++		goto out;
+ 	real_tty = (struct tty_struct *)file->private_data;
+ 	if (!real_tty) 	
+-		return -EINVAL; 
+-	return put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
++		goto out;
++
++	ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
++
++out:
++	fput_light(file, fput_needed);
++	return ret;
+ } 
+ 
+ #define RTC_IRQP_READ32	_IOR('p', 0x0b, unsigned int)	 /* Read IRQ rate   */

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch	2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch	2005-10-06 09:55:04 UTC (rev 4316)
@@ -0,0 +1,53 @@
+From dev at sw.ru  Fri Sep  9 02:55:06 2005
+Date: Fri, 09 Sep 2005 13:59:48 +0400
+From: Kirill Korotaev <dev at sw.ru>
+To: security at kernel.org, Linus Torvalds <torvalds at osdl.org>,
+        Andrew Morton <akpm at osdl.org>, Chris Wright <chrisw at osdl.org>,
+        "Maxim Giryaev" <gem at sw.ru>
+Subject: [PATCH] Lost sockfd_put() in routing_ioctl()
+
+From: "Maxim Giryaev" <gem at sw.ru>
+
+This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 
+64bit platforms, bug found by Vasiliy Averin <vvs at sw.ru>.
+
+I believe this is a security issues, since user can fget() file as many 
+times as he wants to. So file refcounter can be overlapped and first 
+fput() will free resources though there will be still structures 
+pointing to the file, mnt, dentry etc.
+Also fput() sets f_dentry and f_vfsmnt to NULL,
+so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this can be an 
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+Signed-Off-By: Kirill Korotaev <dev at sw.ru>
+Signed-Off-By: Maxim Giryaev <gem at sw.ru>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+ fs/compat_ioctl.c |    7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/fs/compat_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/fs/compat_ioctl.c
++++ linux-2.6.13.y/fs/compat_ioctl.c
+@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
+ 		r = (void *) &r4;
+ 	}
+ 
+-	if (ret)
+-		return -EFAULT;
++	if (ret) {
++		ret = -EFAULT;
++		goto out;
++	}
+ 
+ 	set_fs (KERNEL_DS);
+ 	ret = sys_ioctl (fd, cmd, (unsigned long) r);
+ 	set_fs (old_fs);
+ 
++out:
+ 	if (mysock)
+ 		sockfd_put(mysock);
+ 

Copied: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch (from rev 4312, dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch)

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
===================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	2005-10-06 09:33:00 UTC (rev 4315)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	2005-10-06 09:55:04 UTC (rev 4316)
@@ -5,4 +5,7 @@
 + nptl-signal-delivery-deadlock-fix.dpatch
 + fix-memory-leak-in-sg.c-seq_file.dpatch
 + ipv6-skb-leak.dpatch
++ sendmsg-stackoverflow.dpatch
 + mempolicy-check-mode.dpatch
++ lost-fput-in-32bit-ioctl-on-x86-64.dpatch
++ lost-sockfd_put-in-32bit-compat-routing_ioctl.dpatch


