[kernel] r5361 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Jan 8 22:09:50 UTC 2006 

Author: dannf
Date: Sun Jan  8 22:09:48 2006
New Revision: 5361

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* async-urb-delivery-oops.dpatch:
  [SECURITY] Fix oops that can result from a process terminating before
  an issued URB request completes.
  See CVE-2005-3055

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Jan  8 22:09:48 2006
@@ -152,7 +152,12 @@
     a local DoS (crash).
     See CVE-2005-3783
 
- -- dann frazier <dannf at debian.org>  Sun,  8 Jan 2006 13:50:51 -0700
+  * async-urb-delivery-oops.dpatch:
+    [SECURITY] Fix oops that can result from a process terminating before
+    an issued URB request completes.
+    See CVE-2005-3055
+
+ -- dann frazier <dannf at debian.org>  Sun,  8 Jan 2006 15:08:21 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch	Sun Jan  8 22:09:48 2006
@@ -0,0 +1,133 @@
+From: Harald Welte <laforge at gnumonks.org>
+Date: Mon, 10 Oct 2005 17:44:29 +0000 (+0200)
+Subject: [PATCH] Fix signal sending in usbdevio on async URB completion
+X-Git-Tag: v2.6.14-rc4
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=46113830a18847cff8da73005e57bc49c2f95a56
+
+[PATCH] Fix signal sending in usbdevio on async URB completion
+
+If a process issues an URB from userspace and (starts to) terminate
+before the URB comes back, we run into the issue described above.  This
+is because the urb saves a pointer to "current" when it is posted to the
+device, but there's no guarantee that this pointer is still valid
+afterwards.
+
+In fact, there are three separate issues:
+
+1) the pointer to "current" can become invalid, since the task could be
+   completely gone when the URB completion comes back from the device.
+
+2) Even if the saved task pointer is still pointing to a valid task_struct,
+   task_struct->sighand could have gone meanwhile.
+
+3) Even if the process is perfectly fine, permissions may have changed,
+   and we can no longer send it a signal.
+
+So what we do instead, is to save the PID and uid's of the process, and
+introduce a new kill_proc_info_as_uid() function.
+
+Signed-off-by: Harald Welte <laforge at gnumonks.org>
+[ Fixed up types and added symbol exports ]
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8-2.6.8.orig/drivers/usb/core/devio.c kernel-source-2.6.8-2.6.8/drivers/usb/core/devio.c
+--- kernel-source-2.6.8-2.6.8.orig/drivers/usb/core/devio.c	2004-08-13 23:36:58.000000000 -0600
++++ kernel-source-2.6.8-2.6.8/drivers/usb/core/devio.c	2006-01-08 15:02:41.000000000 -0700
+@@ -30,6 +30,8 @@
+  *  Revision history
+  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
+  *    04.01.2000   0.2   Turned into its own filesystem
++ *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
++ *    			 (CAN-2005-3055)
+  */
+ 
+ /*****************************************************************************/
+@@ -53,7 +55,8 @@
+ struct async {
+ 	struct list_head asynclist;
+ 	struct dev_state *ps;
+-	struct task_struct *task;
++	pid_t pid;
++	uid_t uid, euid;
+ 	unsigned int signr;
+ 	unsigned int ifnum;
+ 	void __user *userbuffer;
+@@ -270,7 +273,8 @@
+ 		sinfo.si_errno = as->urb->status;
+ 		sinfo.si_code = SI_ASYNCIO;
+ 		sinfo.si_addr = as->userurb;
+-		send_sig_info(as->signr, &sinfo, as->task);
++		kill_proc_info_as_uid(as->signr, &sinfo, as->pid, as->uid, 
++				      as->euid);
+ 	}
+         wake_up(&ps->wait);
+ }
+@@ -940,7 +944,9 @@
+ 		as->userbuffer = NULL;
+ 	as->signr = uurb.signr;
+ 	as->ifnum = ifnum;
+-	as->task = current;
++	as->pid = current->pid;
++	as->uid = current->uid;
++	as->euid = current->euid;
+ 	if (!(uurb.endpoint & USB_DIR_IN)) {
+ 		if (copy_from_user(as->urb->transfer_buffer, uurb.buffer, as->urb->transfer_buffer_length)) {
+ 			free_async(as);
+diff -urN kernel-source-2.6.8-2.6.8.orig/include/linux/sched.h kernel-source-2.6.8-2.6.8/include/linux/sched.h
+--- kernel-source-2.6.8-2.6.8.orig/include/linux/sched.h	2004-08-13 23:36:16.000000000 -0600
++++ kernel-source-2.6.8-2.6.8/include/linux/sched.h	2006-01-08 15:03:23.000000000 -0700
+@@ -794,6 +794,7 @@
+ extern int kill_pg_info(int, struct siginfo *, pid_t);
+ extern int kill_sl_info(int, struct siginfo *, pid_t);
+ extern int kill_proc_info(int, struct siginfo *, pid_t);
++extern int kill_proc_info_as_uid(int, struct siginfo *, pid_t, uid_t, uid_t);
+ extern void notify_parent(struct task_struct *, int);
+ extern void do_notify_parent(struct task_struct *, int);
+ extern void force_sig(int, struct task_struct *);
+diff -urN kernel-source-2.6.8-2.6.8.orig/kernel/signal.c kernel-source-2.6.8-2.6.8/kernel/signal.c
+--- kernel-source-2.6.8-2.6.8.orig/kernel/signal.c	2006-01-08 13:48:04.000000000 -0700
++++ kernel-source-2.6.8-2.6.8/kernel/signal.c	2006-01-08 15:01:21.000000000 -0700
+@@ -1154,6 +1154,40 @@
+ 	return error;
+ }
+ 
++/* like kill_proc_info(), but doesn't use uid/euid of "current" */
++int kill_proc_info_as_uid(int sig, struct siginfo *info, pid_t pid,
++		      uid_t uid, uid_t euid)
++{
++	int ret = -EINVAL;
++	struct task_struct *p;
++
++	if (!valid_signal(sig))
++		return ret;
++
++	read_lock(&tasklist_lock);
++	p = find_task_by_pid(pid);
++	if (!p) {
++		ret = -ESRCH;
++		goto out_unlock;
++	}
++	if ((!info || ((unsigned long)info != 1 &&
++			(unsigned long)info != 2 && SI_FROMUSER(info)))
++	    && (euid != p->suid) && (euid != p->uid)
++	    && (uid != p->suid) && (uid != p->uid)) {
++		ret = -EPERM;
++		goto out_unlock;
++	}
++	if (sig && p->sighand) {
++		unsigned long flags;
++		spin_lock_irqsave(&p->sighand->siglock, flags);
++		ret = __group_send_sig_info(sig, info, p);
++		spin_unlock_irqrestore(&p->sighand->siglock, flags);
++	}
++out_unlock:
++	read_unlock(&tasklist_lock);
++	return ret;
++}
++EXPORT_SYMBOL_GPL(kill_proc_info_as_uid);
+ 
+ /*
+  * kill_something_info() interprets pid in interesting ways just like kill(2).

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	Sun Jan  8 22:09:48 2006
@@ -26,3 +26,4 @@
 + kernel-dont-reap-traced.dpatch
 + net-sdla-coverty.dpatch
 + ptrace-fix_self-attach_rule.dpatch
++ async-urb-delivery-oops.dpatch

More information about the Kernel-svn-changes mailing list