[kernel] r13329 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

[Dann Frazier]

Author: dannf
Date: Sat Apr  4 17:17:16 2009
New Revision: 13329

Log:
[amd64] syscall-audit: fix 32/64 syscall hole

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Apr  4 17:17:16 2009
@@ -4,6 +4,7 @@
     (CVE-2009-0028)
   * ecryptfs: Allocate a variable number of pages for file headers
     (CVE-2009-0787)
+  * [amd64] syscall-audit: fix 32/64 syscall hole
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch	Sat Apr  4 17:17:16 2009
@@ -0,0 +1,33 @@
+commit ccbe495caa5e604b04d5a31d7459a6f6a76a756c
+Author: Roland McGrath <roland at redhat.com>
+Date:   Fri Feb 27 19:03:24 2009 -0800
+
+    x86-64: syscall-audit: fix 32/64 syscall hole
+    
+    On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
+    ljmp, and then use the "syscall" instruction to make a 64-bit system
+    call.  A 64-bit process make a 32-bit system call with int $0x80.
+    
+    In both these cases, audit_syscall_entry() will use the wrong system
+    call number table and the wrong system call argument registers.  This
+    could be used to circumvent a syscall audit configuration that filters
+    based on the syscall numbers or argument details.
+    
+    Signed-off-by: Roland McGrath <roland at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Based on Eugene Teo's backport for RHEL5
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/ptrace.c linux-source-2.6.26/arch/x86/kernel/ptrace.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/ptrace.c	2009-03-25 17:20:38.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kernel/ptrace.c	2009-04-04 11:09:01.000000000 -0600
+@@ -1491,7 +1491,7 @@ asmlinkage void syscall_trace_enter(stru
+ 		syscall_trace(regs);
+ 
+ 	if (unlikely(current->audit_context)) {
+-		if (test_thread_flag(TIF_IA32)) {
++		if (is_compat_task()) {
+ 			audit_syscall_entry(AUDIT_ARCH_I386,
+ 					    regs->orig_ax,
+ 					    regs->bx, regs->cx,

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	(original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sat Apr  4 17:17:16 2009
@@ -1,3 +1,4 @@
 + bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
 + bugfix/all/ecryptfs-fix-mem-corruption-when-storing-crypto-info-in-xattrs.patch
 + bugfix/all/ecryptfs-allocate-a-variable-number-of-pages-for-file-headers.patch
++ bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch