[kernel] r5361 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at costa.debian.org
Sun Jan 8 22:09:50 UTC 2006
Author: dannf
Date: Sun Jan 8 22:09:48 2006
New Revision: 5361
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* async-urb-delivery-oops.dpatch:
[SECURITY] Fix oops that can result from a process terminating before
an issued URB request completes.
See CVE-2005-3055
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Jan 8 22:09:48 2006
@@ -152,7 +152,12 @@
a local DoS (crash).
See CVE-2005-3783
- -- dann frazier <dannf at debian.org> Sun, 8 Jan 2006 13:50:51 -0700
+ * async-urb-delivery-oops.dpatch:
+ [SECURITY] Fix oops that can result from a process terminating before
+ an issued URB request completes.
+ See CVE-2005-3055
+
+ -- dann frazier <dannf at debian.org> Sun, 8 Jan 2006 15:08:21 -0700
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/async-urb-delivery-oops.dpatch Sun Jan 8 22:09:48 2006
@@ -0,0 +1,133 @@
+From: Harald Welte <laforge at gnumonks.org>
+Date: Mon, 10 Oct 2005 17:44:29 +0000 (+0200)
+Subject: [PATCH] Fix signal sending in usbdevio on async URB completion
+X-Git-Tag: v2.6.14-rc4
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=46113830a18847cff8da73005e57bc49c2f95a56
+
+[PATCH] Fix signal sending in usbdevio on async URB completion
+
+If a process issues an URB from userspace and (starts to) terminate
+before the URB comes back, we run into the issue described above. This
+is because the urb saves a pointer to "current" when it is posted to the
+device, but there's no guarantee that this pointer is still valid
+afterwards.
+
+In fact, there are three separate issues:
+
+1) the pointer to "current" can become invalid, since the task could be
+ completely gone when the URB completion comes back from the device.
+
+2) Even if the saved task pointer is still pointing to a valid task_struct,
+ task_struct->sighand could have gone meanwhile.
+
+3) Even if the process is perfectly fine, permissions may have changed,
+ and we can no longer send it a signal.
+
+So what we do instead, is to save the PID and uid's of the process, and
+introduce a new kill_proc_info_as_uid() function.
+
+Signed-off-by: Harald Welte <laforge at gnumonks.org>
+[ Fixed up types and added symbol exports ]
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8-2.6.8.orig/drivers/usb/core/devio.c kernel-source-2.6.8-2.6.8/drivers/usb/core/devio.c
+--- kernel-source-2.6.8-2.6.8.orig/drivers/usb/core/devio.c 2004-08-13 23:36:58.000000000 -0600
++++ kernel-source-2.6.8-2.6.8/drivers/usb/core/devio.c 2006-01-08 15:02:41.000000000 -0700
+@@ -30,6 +30,8 @@
+ * Revision history
+ * 22.12.1999 0.1 Initial release (split from proc_usb.c)
+ * 04.01.2000 0.2 Turned into its own filesystem
++ * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery
++ * (CAN-2005-3055)
+ */
+
+ /*****************************************************************************/
+@@ -53,7 +55,8 @@
+ struct async {
+ struct list_head asynclist;
+ struct dev_state *ps;
+- struct task_struct *task;
++ pid_t pid;
++ uid_t uid, euid;
+ unsigned int signr;
+ unsigned int ifnum;
+ void __user *userbuffer;
+@@ -270,7 +273,8 @@
+ sinfo.si_errno = as->urb->status;
+ sinfo.si_code = SI_ASYNCIO;
+ sinfo.si_addr = as->userurb;
+- send_sig_info(as->signr, &sinfo, as->task);
++ kill_proc_info_as_uid(as->signr, &sinfo, as->pid, as->uid,
++ as->euid);
+ }
+ wake_up(&ps->wait);
+ }
+@@ -940,7 +944,9 @@
+ as->userbuffer = NULL;
+ as->signr = uurb.signr;
+ as->ifnum = ifnum;
+- as->task = current;
++ as->pid = current->pid;
++ as->uid = current->uid;
++ as->euid = current->euid;
+ if (!(uurb.endpoint & USB_DIR_IN)) {
+ if (copy_from_user(as->urb->transfer_buffer, uurb.buffer, as->urb->transfer_buffer_length)) {
+ free_async(as);
+diff -urN kernel-source-2.6.8-2.6.8.orig/include/linux/sched.h kernel-source-2.6.8-2.6.8/include/linux/sched.h
+--- kernel-source-2.6.8-2.6.8.orig/include/linux/sched.h 2004-08-13 23:36:16.000000000 -0600
++++ kernel-source-2.6.8-2.6.8/include/linux/sched.h 2006-01-08 15:03:23.000000000 -0700
+@@ -794,6 +794,7 @@
+ extern int kill_pg_info(int, struct siginfo *, pid_t);
+ extern int kill_sl_info(int, struct siginfo *, pid_t);
+ extern int kill_proc_info(int, struct siginfo *, pid_t);
++extern int kill_proc_info_as_uid(int, struct siginfo *, pid_t, uid_t, uid_t);
+ extern void notify_parent(struct task_struct *, int);
+ extern void do_notify_parent(struct task_struct *, int);
+ extern void force_sig(int, struct task_struct *);
+diff -urN kernel-source-2.6.8-2.6.8.orig/kernel/signal.c kernel-source-2.6.8-2.6.8/kernel/signal.c
+--- kernel-source-2.6.8-2.6.8.orig/kernel/signal.c 2006-01-08 13:48:04.000000000 -0700
++++ kernel-source-2.6.8-2.6.8/kernel/signal.c 2006-01-08 15:01:21.000000000 -0700
+@@ -1154,6 +1154,40 @@
+ return error;
+ }
+
++/* like kill_proc_info(), but doesn't use uid/euid of "current" */
++int kill_proc_info_as_uid(int sig, struct siginfo *info, pid_t pid,
++ uid_t uid, uid_t euid)
++{
++ int ret = -EINVAL;
++ struct task_struct *p;
++
++ if (!valid_signal(sig))
++ return ret;
++
++ read_lock(&tasklist_lock);
++ p = find_task_by_pid(pid);
++ if (!p) {
++ ret = -ESRCH;
++ goto out_unlock;
++ }
++ if ((!info || ((unsigned long)info != 1 &&
++ (unsigned long)info != 2 && SI_FROMUSER(info)))
++ && (euid != p->suid) && (euid != p->uid)
++ && (uid != p->suid) && (uid != p->uid)) {
++ ret = -EPERM;
++ goto out_unlock;
++ }
++ if (sig && p->sighand) {
++ unsigned long flags;
++ spin_lock_irqsave(&p->sighand->siglock, flags);
++ ret = __group_send_sig_info(sig, info, p);
++ spin_unlock_irqrestore(&p->sighand->siglock, flags);
++ }
++out_unlock:
++ read_unlock(&tasklist_lock);
++ return ret;
++}
++EXPORT_SYMBOL_GPL(kill_proc_info_as_uid);
+
+ /*
+ * kill_something_info() interprets pid in interesting ways just like kill(2).
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 Sun Jan 8 22:09:48 2006
@@ -26,3 +26,4 @@
+ kernel-dont-reap-traced.dpatch
+ net-sdla-coverty.dpatch
+ ptrace-fix_self-attach_rule.dpatch
++ async-urb-delivery-oops.dpatch
More information about the Kernel-svn-changes
mailing list