[kernel] r8376 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Mar 20 08:04:29 UTC 2007 

Author: dannf
Date: Tue Mar 20 07:04:27 2007
New Revision: 8376

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/listxattr-mem-corruption.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* listxattr-mem-corruption.dpatch
  [SECURITY] Fix userspace corruption vulnerability caused by
  incorrectly promoted return values in bad_inode_ops
  See CVE-2006-5753

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Mar 20 07:04:27 2007
@@ -24,8 +24,12 @@
     [SECURITY] Add additional length checks to avoid potential remote
     DoS attacks in the handling of CAPI messages in the bluetooth driver
     See CVE-2006-6106
+  * listxattr-mem-corruption.dpatch
+    [SECURITY] Fix userspace corruption vulnerability caused by
+    incorrectly promoted return values in bad_inode_ops
+    See CVE-2006-5753
 
- -- dann frazier <dannf at debian.org>  Tue, 27 Feb 2007 00:00:25 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 20 Mar 2007 00:47:10 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/listxattr-mem-corruption.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/listxattr-mem-corruption.dpatch	Tue Mar 20 07:04:27 2007
@@ -0,0 +1,400 @@
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800)
+Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+X-Git-Tag: v2.6.20-rc4~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837
+
+[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+
+CVE-2006-5753 is for a case where an inode can be marked bad, switching
+the ops to bad_inode_ops, which are all connected as:
+
+static int return_EIO(void)
+{
+        return -EIO;
+}
+
+#define EIO_ERROR ((void *) (return_EIO))
+
+static struct inode_operations bad_inode_ops =
+{
+        .create         = bad_inode_create
+...etc...
+
+The problem here is that the void cast causes return types to not be
+promoted, and for ops such as listxattr which expect more than 32 bits of
+return value, the 32-bit -EIO is interpreted as a large positive 64-bit
+number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
+
+This goes particularly badly when the return value is taken as a number of
+bytes to copy into, say, a user's buffer for example...
+
+I originally had coded up the fix by creating a return_EIO_<TYPE> macro
+for each return type, like this:
+
+static int return_EIO_int(void)
+{
+	return -EIO;
+}
+#define EIO_ERROR_INT ((void *) (return_EIO_int))
+
+static struct inode_operations bad_inode_ops =
+{
+	.create		= EIO_ERROR_INT,
+...etc...
+
+but Al felt that it was probably better to create an EIO-returner for each
+actual op signature.  Since so few ops share a signature, I just went ahead
+& created an EIO function for each individual file & inode op that returns
+a value.
+
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+--- kernel-source-2.6.8.orig/fs/bad_inode.c	2004-08-13 23:36:32.000000000 -0600
++++ kernel-source-2.6.8/fs/bad_inode.c	2007-03-20 01:02:40.000000000 -0600
+@@ -14,6 +14,125 @@
+ #include <linux/time.h>
+ #include <linux/smp_lock.h>
+ #include <linux/namei.h>
++#include <linux/poll.h>
++
++
++static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_read(struct file *filp, char __user *buf,
++			size_t size, loff_t *ppos)
++{
++        return -EIO;
++}
++
++static ssize_t bad_file_write(struct file *filp, const char __user *buf,
++			size_t siz, loff_t *ppos)
++{
++        return -EIO;
++}
++
++static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf,
++				 size_t siz, loff_t pos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf,
++			size_t siz, loff_t pos)
++{
++	return -EIO;
++}
++
++static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir)
++{
++	return -EIO;
++}
++
++static unsigned int bad_file_poll(struct file *filp, poll_table *wait)
++{
++	return POLLERR;
++}
++
++static int bad_file_ioctl (struct inode *inode, struct file *filp,
++			unsigned int cmd, unsigned long arg)
++{
++	return -EIO;
++}
++
++static int bad_file_mmap(struct file *file, struct vm_area_struct *vma)
++{
++	return -EIO;
++}
++
++static int bad_file_open(struct inode *inode, struct file *filp)
++{
++	return -EIO;
++}
++
++static int bad_file_flush(struct file *file)
++{
++	return -EIO;
++}
++
++static int bad_file_release(struct inode *inode, struct file *filp)
++{
++	return -EIO;
++}
++
++static int bad_file_fsync(struct file *file, struct dentry *dentry,
++			int datasync)
++{
++	return -EIO;
++}
++
++static int bad_file_aio_fsync(struct kiocb *iocb, int datasync)
++{
++	return -EIO;
++}
++
++static int bad_file_fasync(int fd, struct file *filp, int on)
++{
++	return -EIO;
++}
++
++static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov,
++			unsigned long nr_segs, loff_t *ppos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov,
++			unsigned long nr_segs, loff_t *ppos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos,
++			size_t count, read_actor_t actor, void *target)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_sendpage(struct file *file, struct page *page,
++			int off, size_t len, loff_t *pos, int more)
++{
++	return -EIO;
++}
++
++static unsigned long bad_file_get_unmapped_area(struct file *file,
++				unsigned long addr, unsigned long len,
++				unsigned long pgoff, unsigned long flags)
++{
++	return -EIO;
++}
+ 
+ /*
+  * The follow_link operation is special: it must behave as a no-op
+@@ -26,59 +145,152 @@ static int bad_follow_link(struct dentry
+ 	return 0;
+ }
+ 
+-static int return_EIO(void)
++static struct file_operations bad_file_ops =
++{
++	.llseek		= bad_file_llseek,
++	.read		= bad_file_read,
++	.write		= bad_file_write,
++	.aio_read	= bad_file_aio_read,
++	.aio_write	= bad_file_aio_write,
++	.readdir	= bad_file_readdir,
++	.poll		= bad_file_poll,
++	.ioctl		= bad_file_ioctl,
++	.mmap		= bad_file_mmap,
++	.open		= bad_file_open,
++	.flush		= bad_file_flush,
++	.release	= bad_file_release,
++	.fsync		= bad_file_fsync,
++	.aio_fsync	= bad_file_aio_fsync,
++	.fasync		= bad_file_fasync,
++	.lock		= bad_file_lock,
++	.readv		= bad_file_readv,
++	.writev		= bad_file_writev,
++	.sendfile	= bad_file_sendfile,
++	.sendpage	= bad_file_sendpage,
++	.get_unmapped_area = bad_file_get_unmapped_area,
++};
++
++static int bad_inode_create (struct inode *dir, struct dentry *dentry,
++		int mode, struct nameidata *nd)
+ {
+ 	return -EIO;
+ }
+ 
+-#define EIO_ERROR ((void *) (return_EIO))
++static struct dentry *bad_inode_lookup(struct inode *dir,
++			struct dentry *dentry, struct nameidata *nd)
++{
++	return ERR_PTR(-EIO);
++}
+ 
+-static struct file_operations bad_file_ops =
++static int bad_inode_link (struct dentry *old_dentry, struct inode *dir,
++		struct dentry *dentry)
+ {
+-	.llseek		= EIO_ERROR,
+-	.aio_read	= EIO_ERROR,
+-	.read		= EIO_ERROR,
+-	.write		= EIO_ERROR,
+-	.aio_write	= EIO_ERROR,
+-	.readdir	= EIO_ERROR,
+-	.poll		= EIO_ERROR,
+-	.ioctl		= EIO_ERROR,
+-	.mmap		= EIO_ERROR,
+-	.open		= EIO_ERROR,
+-	.flush		= EIO_ERROR,
+-	.release	= EIO_ERROR,
+-	.fsync		= EIO_ERROR,
+-	.aio_fsync	= EIO_ERROR,
+-	.fasync		= EIO_ERROR,
+-	.lock		= EIO_ERROR,
+-	.readv		= EIO_ERROR,
+-	.writev		= EIO_ERROR,
+-	.sendfile	= EIO_ERROR,
+-	.sendpage	= EIO_ERROR,
+-	.get_unmapped_area = EIO_ERROR,
+-};
++	return -EIO;
++}
++
++static int bad_inode_unlink(struct inode *dir, struct dentry *dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_symlink (struct inode *dir, struct dentry *dentry,
++		const char *symname)
++{
++	return -EIO;
++}
++
++static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry,
++			int mode)
++{
++	return -EIO;
++}
++
++static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_mknod (struct inode *dir, struct dentry *dentry,
++			int mode, dev_t rdev)
++{
++	return -EIO;
++}
++
++static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry,
++		struct inode *new_dir, struct dentry *new_dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_readlink(struct dentry *dentry, char __user *buffer,
++		int buflen)
++{
++	return -EIO;
++}
++
++static int bad_inode_permission(struct inode *inode, int mask,
++			struct nameidata *nd)
++{
++	return -EIO;
++}
++
++static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry,
++			struct kstat *stat)
++{
++	return -EIO;
++}
++
++static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs)
++{
++	return -EIO;
++}
++
++static int bad_inode_setxattr(struct dentry *dentry, const char *name,
++		const void *value, size_t size, int flags)
++{
++	return -EIO;
++}
++
++static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name,
++			void *buffer, size_t size)
++{
++	return -EIO;
++}
++
++static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer,
++			size_t buffer_size)
++{
++	return -EIO;
++}
++
++static int bad_inode_removexattr(struct dentry *dentry, const char *name)
++{
++	return -EIO;
++}
+ 
+ struct inode_operations bad_inode_ops =
+ {
+-	.create		= EIO_ERROR,
+-	.lookup		= EIO_ERROR,
+-	.link		= EIO_ERROR,
+-	.unlink		= EIO_ERROR,
+-	.symlink	= EIO_ERROR,
+-	.mkdir		= EIO_ERROR,
+-	.rmdir		= EIO_ERROR,
+-	.mknod		= EIO_ERROR,
+-	.rename		= EIO_ERROR,
+-	.readlink	= EIO_ERROR,
++	.create		= bad_inode_create,
++	.lookup		= bad_inode_lookup,
++	.link		= bad_inode_link,
++	.unlink		= bad_inode_unlink,
++	.symlink	= bad_inode_symlink,
++	.mkdir		= bad_inode_mkdir,
++	.rmdir		= bad_inode_rmdir,
++	.mknod		= bad_inode_mknod,
++	.rename		= bad_inode_rename,
++	.readlink	= bad_inode_readlink,
+ 	.follow_link	= bad_follow_link,
+-	.truncate	= EIO_ERROR,
+-	.permission	= EIO_ERROR,
+-	.getattr	= EIO_ERROR,
+-	.setattr	= EIO_ERROR,
+-	.setxattr	= EIO_ERROR,
+-	.getxattr	= EIO_ERROR,
+-	.listxattr	= EIO_ERROR,
+-	.removexattr	= EIO_ERROR,
++	/* put_link returns void */
++	/* truncate returns void */
++	.permission	= bad_inode_permission,
++	.getattr	= bad_inode_getattr,
++	.setattr	= bad_inode_setattr,
++	.setxattr	= bad_inode_setxattr,
++	.getxattr	= bad_inode_getxattr,
++	.listxattr	= bad_inode_listxattr,
++	.removexattr	= bad_inode_removexattr,
++	/* truncate_range returns void */
+ };
+ 
+ 
+@@ -100,7 +312,7 @@ struct inode_operations bad_inode_ops =
+  *	on it to fail from this point on.
+  */
+  
+-void make_bad_inode(struct inode * inode) 
++void make_bad_inode(struct inode *inode)
+ {
+ 	remove_inode_hash(inode);
+ 
+@@ -124,7 +336,7 @@ EXPORT_SYMBOL(make_bad_inode);
+  *	Returns true if the inode in question has been marked as bad.
+  */
+  
+-int is_bad_inode(struct inode * inode) 
++int is_bad_inode(struct inode *inode)
+ {
+ 	return (inode->i_op == &bad_inode_ops);	
+ }

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Tue Mar 20 07:04:27 2007
@@ -4,3 +4,4 @@
 + dvb-core-handle-0-length-ule-sndu.dpatch
 + smbfs-honor-mount-opts-2.dpatch
 + bluetooth-capi-size-checks.dpatch
++ listxattr-mem-corruption.dpatch

More information about the Kernel-svn-changes mailing list