[kernel] r5632 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at costa.debian.org
Mon Jan 30 04:59:29 UTC 2006 

Author: dannf
Date: Mon Jan 30 04:59:27 2006
New Revision: 5632

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/204_arch-ia64-ptrace-getregs-putregs.diff
      - copied unchanged from r5629, dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/arch-ia64-ptrace-getregs-putregs.dpatch
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2
Log:
* Fix unchecked user-memory accesses in ptrage_getregs() and ptrace_setregs.
  This is a dependency for the CAN-2005-1761 fix.
  204_arch-ia64-ptrace-getregs-putregs.diff
* [SECURITY] Fix to prevent users from using ptrace to set the pl field
  of the ar.rsc reginster to any value, leading to the ability to overwrite
  kernel memory.  See CAN-2005-1761.
  205_arch-ia64-ptrace-restore_sigcontext.diff

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Mon Jan 30 04:59:27 2006
@@ -101,7 +101,16 @@
     environment variables of another process.
     203_proc_pid_cmdline_race.diff
 
- -- dann frazier <dannf at debian.org>  Mon, 16 Jan 2006 20:49:04 -0700
+  * Fix unchecked user-memory accesses in ptrage_getregs() and ptrace_setregs.
+    This is a dependency for the CAN-2005-1761 fix.
+    204_arch-ia64-ptrace-getregs-putregs.diff
+
+  * [SECURITY] Fix to prevent users from using ptrace to set the pl field
+    of the ar.rsc reginster to any value, leading to the ability to overwrite
+    kernel memory.  See CAN-2005-1761.
+    205_arch-ia64-ptrace-restore_sigcontext.diff
+
+ -- dann frazier <dannf at debian.org>  Sun, 29 Jan 2006 21:48:00 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge1) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/205_arch-ia64-ptrace-restore_sigcontext.diff	Mon Jan 30 04:59:27 2006
@@ -0,0 +1,82 @@
+diff -urN kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/ptrace.c kernel-source-2.4.27-2.4.27/arch/ia64/kernel/ptrace.c
+--- kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/ptrace.c	2006-01-29 21:43:54.000000000 -0700
++++ kernel-source-2.4.27-2.4.27/arch/ia64/kernel/ptrace.c	2006-01-29 21:45:24.000000000 -0700
+@@ -851,6 +851,13 @@
+ 				*data = (pt->cr_ipsr & IPSR_READ_MASK);
+ 			return 0;
+ 
++		      case PT_AR_RSC:
++			if (write_access)
++				pt->ar_rsc = *data | (3 << 2); /* force PL3 */
++			else
++				*data = pt->ar_rsc;
++			return 0;
++
+ 		      case PT_AR_RNAT:
+ 			urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
+ 			rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
+@@ -900,9 +907,6 @@
+ 		      case PT_AR_BSPSTORE:
+ 			ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_bspstore));
+ 			break;
+-		      case PT_AR_RSC: 
+-			ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_rsc));
+-			break;
+ 		      case PT_AR_UNAT: 
+ 			ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_unat));
+ 			break;
+@@ -1134,7 +1138,7 @@
+ static long
+ ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
+ {
+-	unsigned long psr, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
++	unsigned long psr, rsc, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
+ 	struct unw_frame_info info;
+ 	struct switch_stack *sw;
+ 	struct ia64_fpreg fpval;
+@@ -1171,7 +1175,7 @@
+ 	/* app regs */
+ 
+ 	retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
+-	retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
++	retval |= __get_user(rsc, &ppr->ar[PT_AUR_RSC]);
+ 	retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
+ 	retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
+ 	retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
+@@ -1264,6 +1268,7 @@
+ 	retval |= __get_user(nat_bits, &ppr->nat);
+ 
+ 	retval |= access_uarea(child, PT_CR_IPSR, &psr, 1);
++	retval |= access_uarea(child, PT_AR_RSC, &rsc, 1);
+ 	retval |= access_uarea(child, PT_AR_EC, &ec, 1);
+ 	retval |= access_uarea(child, PT_AR_LC, &lc, 1);
+ 	retval |= access_uarea(child, PT_AR_RNAT, &rnat, 1);
+diff -urN kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/signal.c kernel-source-2.4.27-2.4.27/arch/ia64/kernel/signal.c
+--- kernel-source-2.4.27-2.4.27.orig/arch/ia64/kernel/signal.c	2004-04-14 07:05:26.000000000 -0600
++++ kernel-source-2.4.27-2.4.27/arch/ia64/kernel/signal.c	2006-01-29 21:44:48.000000000 -0700
+@@ -104,7 +104,7 @@
+ static long
+ restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
+ {
+-	unsigned long ip, flags, nat, um, cfm;
++	unsigned long ip, flags, nat, um, cfm, rsc;
+ 	long err;
+ 
+ 	/* restore scratch that always needs gets updated during signal delivery: */
+@@ -114,7 +114,7 @@
+ 	err |= __get_user(ip, &sc->sc_ip);			/* instruction pointer */
+ 	err |= __get_user(cfm, &sc->sc_cfm);
+ 	err |= __get_user(um, &sc->sc_um);			/* user mask */
+-	err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
++	err |= __get_user(rsc, &sc->sc_ar_rsc);
+ 	err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
+ 	err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
+ 	err |= __get_user(scr->pt.ar_pfs, &sc->sc_ar_pfs);
+@@ -139,6 +139,7 @@
+ 	}
+ 
+ 	scr->pt.cr_ifs = cfm | (1UL << 63);
++	scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
+ 
+ 	/* establish new instruction pointer: */
+ 	scr->pt.cr_iip = ip & ~0x3UL;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge2	Mon Jan 30 04:59:27 2006
@@ -17,3 +17,5 @@
 + 201_ptrace-fix_self-attach_rule.diff
 + 202_sysctl-buffer-overflow.diff
 + 203_proc_pid_cmdline_race.diff
++ 204_arch-ia64-ptrace-getregs-putregs.diff
++ 205_arch-ia64-ptrace-restore_sigcontext.diff

More information about the Kernel-svn-changes mailing list