[kernel] r5632 - in
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
. patches patches/series
Dann Frazier
dannf at costa.debian.org
Mon Jan 30 04:59:29 UTC 2006
Author: dannf
Date: Mon Jan 30 04:59:27 2006
New Revision: 5632
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/204_arch-ia64-ptrace-getregs-putregs.diff
- copied unchanged from r5629, dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-ia64-ptrace-getregs-putregs.dpatch
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2
Log:
* Fix unchecked user-memory accesses in ptrage_getregs() and ptrace_setregs.
This is a dependency for the CAN-2005-1761 fix.
204_arch-ia64-ptrace-getregs-putregs.diff
* [SECURITY] Fix to prevent users from using ptrace to set the pl field
of the ar.rsc reginster to any value, leading to the ability to overwrite
kernel memory. See CAN-2005-1761.
205_arch-ia64-ptrace-restore_sigcontext.diff
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 30 04:59:27 2006
@@ -101,7 +101,16 @@
environment variables of another process.
203_proc_pid_cmdline_race.diff
- -- dann frazier <dannf at debian.org> Mon, 16 Jan 2006 20:49:04 -0700
+ * Fix unchecked user-memory accesses in ptrage_getregs() and ptrace_setregs.
+ This is a dependency for the CAN-2005-1761 fix.
+ 204_arch-ia64-ptrace-getregs-putregs.diff
+
+ * [SECURITY] Fix to prevent users from using ptrace to set the pl field
+ of the ar.rsc reginster to any value, leading to the ability to overwrite
+ kernel memory. See CAN-2005-1761.
+ 205_arch-ia64-ptrace-restore_sigcontext.diff
+
+ -- dann frazier <dannf at debian.org> Sun, 29 Jan 2006 21:48:00 -0700
kernel-source-2.4.27 (2.4.27-10sarge1) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff Mon Jan 30 04:59:27 2006
@@ -0,0 +1,82 @@
+diff -urN kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/ptrace.c kernel-source-2.4.27-2.4.27/arch/ia64/kernel/ptrace.c
+--- kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/ptrace.c 2006-01-29 21:43:54.000000000 -0700
++++ kernel-source-2.4.27-2.4.27/arch/ia64/kernel/ptrace.c 2006-01-29 21:45:24.000000000 -0700
+@@ -851,6 +851,13 @@
+ *data = (pt->cr_ipsr & IPSR_READ_MASK);
+ return 0;
+
++ case PT_AR_RSC:
++ if (write_access)
++ pt->ar_rsc = *data | (3 << 2); /* force PL3 */
++ else
++ *data = pt->ar_rsc;
++ return 0;
++
+ case PT_AR_RNAT:
+ urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
+ rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
+@@ -900,9 +907,6 @@
+ case PT_AR_BSPSTORE:
+ ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_bspstore));
+ break;
+- case PT_AR_RSC:
+- ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_rsc));
+- break;
+ case PT_AR_UNAT:
+ ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_unat));
+ break;
+@@ -1134,7 +1138,7 @@
+ static long
+ ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
+ {
+- unsigned long psr, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
++ unsigned long psr, rsc, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
+ struct unw_frame_info info;
+ struct switch_stack *sw;
+ struct ia64_fpreg fpval;
+@@ -1171,7 +1175,7 @@
+ /* app regs */
+
+ retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
+- retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
++ retval |= __get_user(rsc, &ppr->ar[PT_AUR_RSC]);
+ retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
+ retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
+ retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
+@@ -1264,6 +1268,7 @@
+ retval |= __get_user(nat_bits, &ppr->nat);
+
+ retval |= access_uarea(child, PT_CR_IPSR, &psr, 1);
++ retval |= access_uarea(child, PT_AR_RSC, &rsc, 1);
+ retval |= access_uarea(child, PT_AR_EC, &ec, 1);
+ retval |= access_uarea(child, PT_AR_LC, &lc, 1);
+ retval |= access_uarea(child, PT_AR_RNAT, &rnat, 1);
+diff -urN kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/signal.c kernel-source-2.4.27-2.4.27/arch/ia64/kernel/signal.c
+--- kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/signal.c 2004-04-14 07:05:26.000000000 -0600
++++ kernel-source-2.4.27-2.4.27/arch/ia64/kernel/signal.c 2006-01-29 21:44:48.000000000 -0700
+@@ -104,7 +104,7 @@
+ static long
+ restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
+ {
+- unsigned long ip, flags, nat, um, cfm;
++ unsigned long ip, flags, nat, um, cfm, rsc;
+ long err;
+
+ /* restore scratch that always needs gets updated during signal delivery: */
+@@ -114,7 +114,7 @@
+ err |= __get_user(ip, &sc->sc_ip); /* instruction pointer */
+ err |= __get_user(cfm, &sc->sc_cfm);
+ err |= __get_user(um, &sc->sc_um); /* user mask */
+- err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
++ err |= __get_user(rsc, &sc->sc_ar_rsc);
+ err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
+ err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
+ err |= __get_user(scr->pt.ar_pfs, &sc->sc_ar_pfs);
+@@ -139,6 +139,7 @@
+ }
+
+ scr->pt.cr_ifs = cfm | (1UL << 63);
++ scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
+
+ /* establish new instruction pointer: */
+ scr->pt.cr_iip = ip & ~0x3UL;
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2 Mon Jan 30 04:59:27 2006
@@ -17,3 +17,5 @@
+ 201_ptrace-fix_self-attach_rule.diff
+ 202_sysctl-buffer-overflow.diff
+ 203_proc_pid_cmdline_race.diff
++ 204_arch-ia64-ptrace-getregs-putregs.diff
++ 205_arch-ia64-ptrace-restore_sigcontext.diff
More information about the Kernel-svn-changes
mailing list