[kernel] r11448 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri May 23 22:52:36 UTC 2008
Author: dannf
Date: Fri May 23 22:52:34 2008
New Revision: 11448
Log:
bugfix/sparc-fix-mmap-va-span-checking.patch
bugfix/sparc-fix-mremap-addr-range-validation.patch
[SECURITY] Validate address ranges regardless of MAP_FIXED
See CVE-2008-2137
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mmap-va-span-checking.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mremap-addr-range-validation.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/18etch5
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri May 23 22:52:34 2008
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.18.dfsg.1-18etch5) UNRELEASED; urgency=high
+linux-2.6 (2.6.18.dfsg.1-18etch5) stable-security; urgency=high
* bugfix/sit-missing-kfree_skb-on-pskb_may_pull.patch
[SECURITY] Fix remotely-triggerable memory leak in the Simple
@@ -13,8 +13,12 @@
[SECURITY] Fix local ptrace denial of service for amd64 flavor
kernels, bug #480390
See CVE-2008-1615
+ * bugfix/sparc-fix-mmap-va-span-checking.patch
+ bugfix/sparc-fix-mremap-addr-range-validation.patch
+ [SECURITY] Validate address ranges regardless of MAP_FIXED
+ See CVE-2008-2137
- -- dann frazier <dannf at debian.org> Wed, 21 May 2008 01:29:13 -0600
+ -- dann frazier <dannf at debian.org> Fri, 23 May 2008 10:37:27 -0600
linux-2.6 (2.6.18.dfsg.1-18etch4) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mmap-va-span-checking.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mmap-va-span-checking.patch Fri May 23 22:52:34 2008
@@ -0,0 +1,44 @@
+commit 5816339310b2d9623cf413d33e538b45e815da5d
+Author: David S. Miller <davem at davemloft.net>
+Date: Wed May 7 02:24:28 2008 -0700
+
+ sparc: Fix mmap VA span checking.
+
+ We should not conditionalize VA range checks on MAP_FIXED.
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/arch/sparc/kernel/sys_sparc.c linux-source-2.6.18/arch/sparc/kernel/sys_sparc.c
+--- linux-source-2.6.18.orig/arch/sparc/kernel/sys_sparc.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/sparc/kernel/sys_sparc.c 2008-05-23 10:13:30.000000000 -0600
+@@ -223,8 +223,7 @@ int sparc_mmap_check(unsigned long addr,
+ {
+ if (ARCH_SUN4C_SUN4 &&
+ (len > 0x20000000 ||
+- ((flags & MAP_FIXED) &&
+- addr < 0xe0000000 && addr + len > 0x20000000)))
++ (addr < 0xe0000000 && addr + len > 0x20000000)))
+ return -EINVAL;
+
+ /* See asm-sparc/uaccess.h */
+diff -urpN linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc.c linux-source-2.6.18/arch/sparc64/kernel/sys_sparc.c
+--- linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/sparc64/kernel/sys_sparc.c 2008-05-23 10:13:30.000000000 -0600
+@@ -555,13 +555,13 @@ int sparc64_mmap_check(unsigned long add
+ if (len >= STACK_TOP32)
+ return -EINVAL;
+
+- if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len)
++ if (addr > STACK_TOP32 - len)
+ return -EINVAL;
+ } else {
+ if (len >= VA_EXCLUDE_START)
+ return -EINVAL;
+
+- if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len))
++ if (invalid_64bit_range(addr, len))
+ return -EINVAL;
+ }
+
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mremap-addr-range-validation.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/sparc-fix-mremap-addr-range-validation.patch Fri May 23 22:52:34 2008
@@ -0,0 +1,230 @@
+commit 94d149c34cda933ff5096aca94bb23bf68602f4e
+Author: David S. Miller <davem at davemloft.net>
+Date: Mon May 12 16:33:33 2008 -0700
+
+ sparc: Fix mremap address range validation.
+
+ Just like mmap, we need to validate address ranges regardless
+ of MAP_FIXED.
+
+ sparc{,64}_mmap_check()'s flag argument is unused, remove.
+
+ Based upon a report and preliminary patch by
+ Jan Lieskovsky <jlieskov at redhat.com>
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/arch/sparc/kernel/sys_sparc.c linux-source-2.6.18/arch/sparc/kernel/sys_sparc.c
+--- linux-source-2.6.18.orig/arch/sparc/kernel/sys_sparc.c 2008-05-23 10:13:30.000000000 -0600
++++ linux-source-2.6.18/arch/sparc/kernel/sys_sparc.c 2008-05-23 10:30:23.000000000 -0600
+@@ -219,7 +219,7 @@ out:
+ return err;
+ }
+
+-int sparc_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
++int sparc_mmap_check(unsigned long addr, unsigned long len)
+ {
+ if (ARCH_SUN4C_SUN4 &&
+ (len > 0x20000000 ||
+@@ -295,52 +295,14 @@ asmlinkage unsigned long sparc_mremap(un
+ unsigned long old_len, unsigned long new_len,
+ unsigned long flags, unsigned long new_addr)
+ {
+- struct vm_area_struct *vma;
+ unsigned long ret = -EINVAL;
+- if (ARCH_SUN4C_SUN4) {
+- if (old_len > 0x20000000 || new_len > 0x20000000)
+- goto out;
+- if (addr < 0xe0000000 && addr + old_len > 0x20000000)
+- goto out;
+- }
+- if (old_len > TASK_SIZE - PAGE_SIZE ||
+- new_len > TASK_SIZE - PAGE_SIZE)
++
++ if (unlikely(sparc_mmap_check(addr, old_len)))
++ goto out;
++ if (unlikely(sparc_mmap_check(new_addr, new_len)))
+ goto out;
+ down_write(¤t->mm->mmap_sem);
+- if (flags & MREMAP_FIXED) {
+- if (ARCH_SUN4C_SUN4 &&
+- new_addr < 0xe0000000 &&
+- new_addr + new_len > 0x20000000)
+- goto out_sem;
+- if (new_addr + new_len > TASK_SIZE - PAGE_SIZE)
+- goto out_sem;
+- } else if ((ARCH_SUN4C_SUN4 && addr < 0xe0000000 &&
+- addr + new_len > 0x20000000) ||
+- addr + new_len > TASK_SIZE - PAGE_SIZE) {
+- unsigned long map_flags = 0;
+- struct file *file = NULL;
+-
+- ret = -ENOMEM;
+- if (!(flags & MREMAP_MAYMOVE))
+- goto out_sem;
+-
+- vma = find_vma(current->mm, addr);
+- if (vma) {
+- if (vma->vm_flags & VM_SHARED)
+- map_flags |= MAP_SHARED;
+- file = vma->vm_file;
+- }
+-
+- new_addr = get_unmapped_area(file, addr, new_len,
+- vma ? vma->vm_pgoff : 0,
+- map_flags);
+- ret = new_addr;
+- if (new_addr & ~PAGE_MASK)
+- goto out_sem;
+- flags |= MREMAP_FIXED;
+- }
+ ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+-out_sem:
+ up_write(¤t->mm->mmap_sem);
+ out:
+ return ret;
+diff -urpN linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc32.c linux-source-2.6.18/arch/sparc64/kernel/sys_sparc32.c
+--- linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc32.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/sparc64/kernel/sys_sparc32.c 2008-05-23 10:33:10.000000000 -0600
+@@ -961,44 +961,15 @@ asmlinkage unsigned long sys32_mremap(un
+ unsigned long old_len, unsigned long new_len,
+ unsigned long flags, u32 __new_addr)
+ {
+- struct vm_area_struct *vma;
+ unsigned long ret = -EINVAL;
+ unsigned long new_addr = __new_addr;
+
+- if (old_len > STACK_TOP32 || new_len > STACK_TOP32)
++ if (unlikely(sparc64_mmap_check(addr, old_len)))
+ goto out;
+- if (addr > STACK_TOP32 - old_len)
++ if (unlikely(sparc64_mmap_check(new_addr, new_len)))
+ goto out;
+ down_write(¤t->mm->mmap_sem);
+- if (flags & MREMAP_FIXED) {
+- if (new_addr > STACK_TOP32 - new_len)
+- goto out_sem;
+- } else if (addr > STACK_TOP32 - new_len) {
+- unsigned long map_flags = 0;
+- struct file *file = NULL;
+-
+- ret = -ENOMEM;
+- if (!(flags & MREMAP_MAYMOVE))
+- goto out_sem;
+-
+- vma = find_vma(current->mm, addr);
+- if (vma) {
+- if (vma->vm_flags & VM_SHARED)
+- map_flags |= MAP_SHARED;
+- file = vma->vm_file;
+- }
+-
+- /* MREMAP_FIXED checked above. */
+- new_addr = get_unmapped_area(file, addr, new_len,
+- vma ? vma->vm_pgoff : 0,
+- map_flags);
+- ret = new_addr;
+- if (new_addr & ~PAGE_MASK)
+- goto out_sem;
+- flags |= MREMAP_FIXED;
+- }
+ ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+-out_sem:
+ up_write(¤t->mm->mmap_sem);
+ out:
+ return ret;
+diff -urpN linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc.c linux-source-2.6.18/arch/sparc64/kernel/sys_sparc.c
+--- linux-source-2.6.18.orig/arch/sparc64/kernel/sys_sparc.c 2008-05-23 10:13:30.000000000 -0600
++++ linux-source-2.6.18/arch/sparc64/kernel/sys_sparc.c 2008-05-23 10:33:12.000000000 -0600
+@@ -548,8 +548,7 @@ asmlinkage long sparc64_personality(unsi
+ return ret;
+ }
+
+-int sparc64_mmap_check(unsigned long addr, unsigned long len,
+- unsigned long flags)
++int sparc64_mmap_check(unsigned long addr, unsigned long len)
+ {
+ if (test_thread_flag(TIF_32BIT)) {
+ if (len >= STACK_TOP32)
+@@ -615,46 +614,19 @@ asmlinkage unsigned long sys64_mremap(un
+ unsigned long old_len, unsigned long new_len,
+ unsigned long flags, unsigned long new_addr)
+ {
+- struct vm_area_struct *vma;
+ unsigned long ret = -EINVAL;
+
+ if (test_thread_flag(TIF_32BIT))
+ goto out;
+ if (unlikely(new_len >= VA_EXCLUDE_START))
+ goto out;
+- if (unlikely(invalid_64bit_range(addr, old_len)))
++ if (unlikely(sparc64_mmap_check(addr, old_len)))
++ goto out;
++ if (unlikely(sparc64_mmap_check(new_addr, new_len)))
+ goto out;
+
+ down_write(¤t->mm->mmap_sem);
+- if (flags & MREMAP_FIXED) {
+- if (invalid_64bit_range(new_addr, new_len))
+- goto out_sem;
+- } else if (invalid_64bit_range(addr, new_len)) {
+- unsigned long map_flags = 0;
+- struct file *file = NULL;
+-
+- ret = -ENOMEM;
+- if (!(flags & MREMAP_MAYMOVE))
+- goto out_sem;
+-
+- vma = find_vma(current->mm, addr);
+- if (vma) {
+- if (vma->vm_flags & VM_SHARED)
+- map_flags |= MAP_SHARED;
+- file = vma->vm_file;
+- }
+-
+- /* MREMAP_FIXED checked above. */
+- new_addr = get_unmapped_area(file, addr, new_len,
+- vma ? vma->vm_pgoff : 0,
+- map_flags);
+- ret = new_addr;
+- if (new_addr & ~PAGE_MASK)
+- goto out_sem;
+- flags |= MREMAP_FIXED;
+- }
+ ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+-out_sem:
+ up_write(¤t->mm->mmap_sem);
+ out:
+ return ret;
+diff -urpN linux-source-2.6.18.orig/include/asm-sparc/mman.h linux-source-2.6.18/include/asm-sparc/mman.h
+--- linux-source-2.6.18.orig/include/asm-sparc/mman.h 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/asm-sparc/mman.h 2008-05-23 10:33:45.000000000 -0600
+@@ -37,9 +37,8 @@
+
+ #ifdef __KERNEL__
+ #ifndef __ASSEMBLY__
+-#define arch_mmap_check sparc_mmap_check
+-int sparc_mmap_check(unsigned long addr, unsigned long len,
+- unsigned long flags);
++#define arch_mmap_check(addr,len,flags) sparc_mmap_check(addr,len)
++int sparc_mmap_check(unsigned long addr, unsigned long len);
+ #endif
+ #endif
+
+diff -urpN linux-source-2.6.18.orig/include/asm-sparc64/mman.h linux-source-2.6.18/include/asm-sparc64/mman.h
+--- linux-source-2.6.18.orig/include/asm-sparc64/mman.h 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/asm-sparc64/mman.h 2008-05-23 10:34:07.000000000 -0600
+@@ -37,9 +37,8 @@
+
+ #ifdef __KERNEL__
+ #ifndef __ASSEMBLY__
+-#define arch_mmap_check sparc64_mmap_check
+-int sparc64_mmap_check(unsigned long addr, unsigned long len,
+- unsigned long flags);
++#define arch_mmap_check(addr,len,flags) sparc64_mmap_check(addr,len)
++int sparc64_mmap_check(unsigned long addr, unsigned long len);
+ #endif
+ #endif
+
Modified: dists/etch-security/linux-2.6/debian/patches/series/18etch5
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/18etch5 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch5 Fri May 23 22:52:34 2008
@@ -2,3 +2,5 @@
+ bugfix/hrtimer-prevent-overrun.patch
+ bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
+ bugfix/amd64-cs-corruption.patch
++ bugfix/sparc-fix-mmap-va-span-checking.patch
++ bugfix/sparc-fix-mremap-addr-range-validation.patch
More information about the Kernel-svn-changes
mailing list