[kernel] r12876 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/hppa patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Feb 20 05:50:49 UTC 2009
Author: dannf
Date: Fri Feb 20 05:50:48 2009
New Revision: 12876
Log:
* [hppa] Fix system crash while unwinding a userspace process
- bugfix/hppa/userspace-unwind-crash.patch
See CVE-2008-5395
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/24etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri Feb 20 05:50:48 2009
@@ -18,8 +18,11 @@
* dell_rbu: use scnprintf instead of less secure sprintf
- bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
See CVE-2009-0322
+ * [hppa] Fix system crash while unwinding a userspace process
+ - bugfix/hppa/userspace-unwind-crash.patch
+ See CVE-2008-5395
- -- dann frazier <dannf at debian.org> Mon, 09 Feb 2009 23:25:32 -0700
+ -- dann frazier <dannf at debian.org> Thu, 19 Feb 2009 22:47:18 -0700
linux-2.6 (2.6.18.dfsg.1-24) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch Fri Feb 20 05:50:48 2009
@@ -0,0 +1,116 @@
+commit 7a3f5134a8f5bd7fa38b5645eef05e8a4eb62951
+Author: Helge Deller <deller at gmx.de>
+Date: Wed Nov 26 12:46:22 2008 -0800
+
+ parisc: fix kernel crash when unwinding a userspace process
+
+ Any user on existing parisc 32- and 64bit-kernels can easily crash
+ the kernel and as such enforce a DSO.
+ A simple testcase is available here:
+ http://gsyprf10.external.hp.com/~deller/crash.tgz
+
+ The problem is introduced by the fact, that the handle_interruption()
+ crash handler calls the show_regs() function, which in turn tries to
+ unwind the stack by calling parisc_show_stack(). Since the stack contains
+ userspace addresses, a try to unwind the stack is dangerous and useless
+ and leads to the crash.
+
+ The fix is trivial: For userspace processes
+ a) avoid to unwind the stack, and
+ b) avoid to resolve userspace addresses to kernel symbol names.
+
+ While touching this code, I converted print_symbol() to %pS
+ printk formats and made parisc_show_stack() static.
+
+ An initial patch for this was written by Kyle McMartin back in August:
+ http://marc.info/?l=linux-parisc&m=121805168830283&w=2
+
+ Compile and run-tested with a 64bit parisc kernel.
+
+ Signed-off-by: Helge Deller <deller at gmx.de>
+ Cc: Grant Grundler <grundler at parisc-linux.org>
+ Cc: Matthew Wilcox <matthew at wil.cx>
+ Cc: <stable at kernel.org> [2.6.25.x, 2.6.26.x, 2.6.27.x, earlier...]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Kyle McMartin <kyle at mcmartin.ca>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/parisc/kernel/traps.c linux-source-2.6.18/arch/parisc/kernel/traps.c
+--- linux-source-2.6.18.orig/arch/parisc/kernel/traps.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/parisc/kernel/traps.c 2009-02-19 00:49:17.000000000 -0700
+@@ -24,7 +24,6 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/console.h>
+-#include <linux/kallsyms.h>
+
+ #include <asm/assembly.h>
+ #include <asm/system.h>
+@@ -115,18 +114,19 @@ static void print_fr(char *level, struct
+
+ void show_regs(struct pt_regs *regs)
+ {
+- int i;
++ int i, user;
+ char *level;
+ unsigned long cr30, cr31;
+
+- level = user_mode(regs) ? KERN_DEBUG : KERN_CRIT;
++ user = user_mode(regs);
++ level = user ? KERN_DEBUG : KERN_CRIT;
+
+ print_gr(level, regs);
+
+ for (i = 0; i < 8; i += 4)
+ PRINTREGS(level, regs->sr, "sr", RFMT, i);
+
+- if (user_mode(regs))
++ if (user)
+ print_fr(level, regs);
+
+ cr30 = mfctl(30);
+@@ -139,12 +139,16 @@ void show_regs(struct pt_regs *regs)
+ printk("%s CPU: %8d CR30: " RFMT " CR31: " RFMT "\n",
+ level, current_thread_info()->cpu, cr30, cr31);
+ printk("%s ORIG_R28: " RFMT "\n", level, regs->orig_r28);
+- printk(level);
+- print_symbol(" IAOQ[0]: %s\n", regs->iaoq[0]);
+- printk(level);
+- print_symbol(" IAOQ[1]: %s\n", regs->iaoq[1]);
+- printk(level);
+- print_symbol(" RP(r2): %s\n", regs->gr[2]);
++
++ if (user) {
++ printk("%s IAOQ[0]: " RFMT "\n", level, regs->iaoq[0]);
++ printk("%s IAOQ[1]: " RFMT "\n", level, regs->iaoq[1]);
++ printk("%s RP(r2): " RFMT "\n", level, regs->gr[2]);
++ } else {
++ printk("%s IAOQ[0]: %pS\n", level, (void *) regs->iaoq[0]);
++ printk("%s IAOQ[1]: %pS\n", level, (void *) regs->iaoq[1]);
++ printk("%s RP(r2): %pS\n", level, (void *) regs->gr[2]);
++ }
+ }
+
+
+@@ -165,17 +169,12 @@ static void do_show_stack(struct unwind_
+ break;
+
+ if (__kernel_text_address(info->ip)) {
+- printk(" [<" RFMT ">] ", info->ip);
+-#ifdef CONFIG_KALLSYMS
+- print_symbol("%s\n", info->ip);
+-#else
+- if ((i & 0x03) == 0)
+- printk("\n");
+-#endif
++ printk(KERN_CRIT " [<" RFMT ">] %pS\n",
++ info->ip, (void *) info->ip);
+ i++;
+ }
+ }
+- printk("\n");
++ printk(KERN_CRIT "\n");
+ }
+
+ void show_stack(struct task_struct *task, unsigned long *s)
Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch1 Fri Feb 20 05:50:48 2009
@@ -55,3 +55,4 @@
+ bugfix/all/CVE-2009-0029/0091-avoid-abi-change.patch
+ bugfix/all/security-keyctl-missing-kfree.patch
+ bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
++ bugfix/hppa/userspace-unwind-crash.patch
More information about the Kernel-svn-changes
mailing list