[kernel] r9538 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Thu Sep 20 14:34:52 UTC 2007 

Author: dannf
Date: Thu Sep 20 14:34:52 2007
New Revision: 9538

Log:
* bugfix/ptrace-handle-bogus-selector.patch,
  bugfix/fixup-trace_irq-breakage.patch
  [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
  during ptrace single-step operations that can be used to trigger a
  NULL-pointer dereference causing an Oops.

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch
   dists/etch-security/linux-2.6/debian/patches/series/13etch3
Modified:
   dists/etch-security/linux-2.6/debian/changelog

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Sep 20 14:34:52 2007
@@ -1,3 +1,13 @@
+linux-2.6 (2.6.18.dfsg.1-13etch3) UNRELEASED; urgency=low
+
+  * bugfix/ptrace-handle-bogus-selector.patch,
+    bugfix/fixup-trace_irq-breakage.patch
+    [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
+    during ptrace single-step operations that can be used to trigger a
+    NULL-pointer dereference causing an Oops.
+
+ -- dann frazier <dannf at debian.org>  Thu, 20 Sep 2007 08:24:55 -0600
+
 linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
 
   * bugfix/ipv4-fib_props-out-of-bounds.patch

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch	Thu Sep 20 14:34:52 2007
@@ -0,0 +1,64 @@
+From: Peter Zijlstra <peterz at infradead.org>
+Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200)
+Subject: i386: fixup TRACE_IRQ breakage
+X-Git-Tag: v2.6.23-rc1~491
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f
+
+i386: fixup TRACE_IRQ breakage
+
+The TRACE_IRQS_ON function in iret_exc: calls a C function without
+ensuring that the segments are set properly. Move the trace function and
+the enabling of interrupt into the C stub.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/entry.S linux-source-2.6.18/arch/i386/kernel/entry.S
+--- linux-source-2.6.18.orig/arch/i386/kernel/entry.S	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/entry.S	2007-09-19 23:53:22.929573806 -0600
+@@ -384,8 +384,6 @@ restore_nocheck_notrace:
+ 1:	iret
+ .section .fixup,"ax"
+ iret_exc:
+-	TRACE_IRQS_ON
+-	sti
+ 	pushl $0			# no error code
+ 	pushl $do_iret_error
+ 	jmp error_code
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/traps.c linux-source-2.6.18/arch/i386/kernel/traps.c
+--- linux-source-2.6.18.orig/arch/i386/kernel/traps.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/traps.c	2007-09-19 23:47:18.209575527 -0600
+@@ -516,10 +516,12 @@ fastcall void do_##name(struct pt_regs *
+ 	do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
+ }
+ 
+-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
+ fastcall void do_##name(struct pt_regs * regs, long error_code) \
+ { \
+ 	siginfo_t info; \
++	if (irq) \
++		local_irq_enable(); \
+ 	info.si_signo = signr; \
+ 	info.si_errno = 0; \
+ 	info.si_code = sicode; \
+@@ -559,13 +561,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
+ #endif
+ DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
+ DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
+-DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
++DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
+ DO_ERROR( 9, SIGFPE,  "coprocessor segment overrun", coprocessor_segment_overrun)
+ DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(11, SIGBUS,  "segment not present", segment_not_present)
+ DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
+-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
+-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
+ 
+ fastcall void __kprobes do_general_protection(struct pt_regs * regs,
+ 					      long error_code)

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch	Thu Sep 20 14:34:52 2007
@@ -0,0 +1,86 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700)
+Subject: Handle bogus %cs selector in single-step instruction decoding
+X-Git-Tag: v2.6.23-rc1~492
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8
+
+Handle bogus %cs selector in single-step instruction decoding
+
+The code for LDT segment selectors was not robust in the face of a bogus
+selector set in %cs via ptrace before the single-step was done.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c linux-source-2.6.18/arch/i386/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/ptrace.c	2007-09-19 23:45:45.949576125 -0600
+@@ -172,14 +172,22 @@ static unsigned long convert_eip_to_line
+ 		u32 *desc;
+ 		unsigned long base;
+ 
+-		down(&child->mm->context.sem);
+-		desc = child->mm->context.ldt + (seg & ~7);
+-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++		seg &= ~7UL;
+ 
+-		/* 16-bit code segment? */
+-		if (!((desc[1] >> 22) & 1))
+-			addr &= 0xffff;
+-		addr += base;
++		down(&child->mm->context.sem);
++		if (unlikely((seg >> 3) >= child->mm->context.size))
++			addr = -1L; /* bogus selector, access would fault */
++		else {
++			desc = child->mm->context.ldt + seg;
++			base = ((desc[0] >> 16) |
++				((desc[1] & 0xff) << 16) |
++				(desc[1] & 0xff000000));
++
++			/* 16-bit code segment? */
++			if (!((desc[1] >> 22) & 1))
++				addr &= 0xffff;
++			addr += base;
++		}
+ 		up(&child->mm->context.sem);
+ 	}
+ 	return addr;
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c	2007-09-19 23:45:45.953575027 -0600
+@@ -103,16 +103,25 @@ unsigned long convert_rip_to_linear(stru
+ 		u32 *desc;
+ 		unsigned long base;
+ 
+-		down(&child->mm->context.sem);
+-		desc = child->mm->context.ldt + (seg & ~7);
+-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++		seg &= ~7UL;
+ 
+-		/* 16-bit code segment? */
+-		if (!((desc[1] >> 22) & 1))
+-			addr &= 0xffff;
+-		addr += base;
++		down(&child->mm->context.sem);
++		if (unlikely((seg >> 3) >= child->mm->context.size))
++			addr = -1L; /* bogus selector, access would fault */
++		else {
++			desc = child->mm->context.ldt + seg;
++			base = ((desc[0] >> 16) |
++				((desc[1] & 0xff) << 16) |
++				(desc[1] & 0xff000000));
++
++			/* 16-bit code segment? */
++			if (!((desc[1] >> 22) & 1))
++				addr &= 0xffff;
++			addr += base;
++		}
+ 		up(&child->mm->context.sem);
+ 	}
++
+ 	return addr;
+ }
+ 

Added: dists/etch-security/linux-2.6/debian/patches/series/13etch3
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch3	Thu Sep 20 14:34:52 2007
@@ -0,0 +1,2 @@
++ bugfix/ptrace-handle-bogus-selector.patch
++ bugfix/fixup-trace_irq-breakage.patch

More information about the Kernel-svn-changes mailing list