[kernel] r14052 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series

Dann Frazier dannf at alioth.debian.org
Thu Jul 30 17:32:00 UTC 2009 

Author: dannf
Date: Thu Jul 30 17:31:59 2009
New Revision: 14052

Log:
merge 2.6.26-17lenny1

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
      - copied unchanged from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
      - copied unchanged from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
      - copied unchanged from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
      - copied unchanged from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
   dists/lenny/linux-2.6/debian/patches/series/17lenny1
      - copied unchanged from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/series/17lenny1
Modified:
   dists/lenny/linux-2.6/   (props changed)
   dists/lenny/linux-2.6/debian/changelog

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Thu Jul 30 17:30:06 2009	(r14051)
+++ dists/lenny/linux-2.6/debian/changelog	Thu Jul 30 17:31:59 2009	(r14052)
@@ -39,6 +39,16 @@
 
  -- maximilian attems <maks at debian.org>  Wed, 10 Jun 2009 15:34:04 +0200
 
+linux-2.6 (2.6.26-17lenny1) stable-security; urgency=high
+
+  * [KVM] x86: check for cr3 validity in ioctl_set_sregs
+    (CVE-2009-2287)
+  * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
+  * ecryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
+  * ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
+
+ -- dann frazier <dannf at debian.org>  Sat, 25 Jul 2009 15:10:10 -0600
+
 linux-2.6 (2.6.26-17) stable; urgency=high
 
   * Revert "sata_nv: avoid link reset on controllers where it's broken"

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch (from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch	Thu Jul 30 17:31:59 2009	(r14052, copy of r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch)
@@ -0,0 +1,40 @@
+Tag 11 packets are stored in the metadata section of an eCryptfs file to
+store the key signature(s) used to encrypt the file encryption key.
+After extracting the packet length field to determine the key signature
+length, a check is not performed to see if the length would exceed the
+key signature buffer size that was passed into parse_tag_11_packet().
+
+Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index af737bb..5414253 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
+ 		rc = -EINVAL;
+ 		goto out;
+ 	}
++	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++		printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++		       "expected size\n");
++		rc = -EINVAL;
++		goto out;
++	}
+ 	if (data[(*packet_size)++] != 0x62) {
+ 		printk(KERN_WARNING "Unrecognizable packet\n");
+ 		rc = -EINVAL;
+-- 
+1.6.2.5
+
+_______________________________________________
+Vendor Security mailing list
+Vendor Security at lst.de
+https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
+

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch (from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch	Thu Jul 30 17:31:59 2009	(r14052, copy of r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch)
@@ -0,0 +1,28 @@
+The parse_tag_3_packet function does not check if the tag 3 packet contains a
+encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ecryptfs/keystore.c linux-source-2.6.26/fs/ecryptfs/keystore.c
+--- linux-source-2.6.26.orig/fs/ecryptfs/keystore.c	2009-07-25 15:02:53.000000000 -0600
++++ linux-source-2.6.26/fs/ecryptfs/keystore.c	2009-07-25 15:05:01.000000000 -0600
+@@ -730,6 +730,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
+ 	}
+ 	(*new_auth_tok)->session_key.encrypted_key_size =
+ 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
++	if ((*new_auth_tok)->session_key.encrypted_key_size
++	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++		printk(KERN_WARNING "Tag 3 packet contains key larger "
++		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++		rc = -EINVAL;
++		goto out_free;
++	}
+ 	if (unlikely(data[(*packet_size)++] != 0x04)) {
+ 		printk(KERN_WARNING "Unknown version number [%d]\n",
+ 		       data[(*packet_size) - 1]);

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch (from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch	Thu Jul 30 17:31:59 2009	(r14052, copy of r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
@@ -0,0 +1,52 @@
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
+Author: Julien Tinnes <jt at cr0.org>
+Date:   Fri Jun 26 20:27:40 2009 +0200
+
+    personality: fix PER_CLEAR_ON_SETID
+    
+    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+    
+    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+    
+    We believe it is important to add MMAP_PAGE_ZERO, because by using this
+    personality it is possible to have the first page mapped inside a
+    process running as setuid root.  This could be used in those scenarios:
+    
+     - Exploiting a NULL pointer dereference issue in a setuid root binary
+     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+       running a setuid binary that would drop privileges before giving us
+       control back (for instance by loading a user-supplied library), we
+       could get the first page mapped in a process we control.  By further
+       using mremap and mprotect on this mapping, we can then completely
+       bypass the mmap_min_addr restrictions.
+    
+    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+    since on x86 32bits it will in practice disable most of the address
+    space layout randomization (only the stack will remain randomized).
+    
+    Signed-off-by: Julien Tinnes <jt at cr0.org>
+    Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
+    Cc: stable at kernel.org
+    Acked-by: Christoph Hellwig <hch at infradead.org>
+    Acked-by: Kees Cook <kees at ubuntu.com>
+    Acked-by: Eugene Teo <eugene at redhat.com>
+    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+  * Security-relevant compatibility flags that must be
+  * cleared upon setuid or setgid exec:
+  */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC  | \
++			    ADDR_NO_RANDOMIZE  | \
++			    ADDR_COMPAT_LAYOUT | \
++			    MMAP_PAGE_ZERO)
+ 
+ /*
+  * Personality types.

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch (from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch	Thu Jul 30 17:31:59 2009	(r14052, copy of r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch)
@@ -0,0 +1,48 @@
+commit 59839dfff5eabca01cc4e20b45797a60a80af8cb
+Author: Marcelo Tosatti <mtosatti at redhat.com>
+Date:   Thu Apr 16 08:30:44 2009 -0300
+
+    KVM: x86: check for cr3 validity in ioctl_set_sregs
+    
+    Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity
+    checking for the new cr3 value:
+    
+    "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to
+    the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
+    when userspace next tries to call KVM_RUN on the affected VCPU and kvm
+    attempts to activate the new non-existent page table root.
+    
+    This happens since kvm only validates that cr3 points to a valid guest
+    physical memory page when code *inside* the guest sets cr3. However, kvm
+    currently trusts the userspace caller (e.g. QEMU) on the host machine to
+    always supply a valid page table root, rather than properly validating
+    it along with the rest of the reloaded guest state."
+    
+    http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599
+    
+    Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple
+    fault in case of failure.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index ffbb2c8..2bad49b 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3993,7 +3993,13 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
+ 
+ 	vcpu->arch.cr2 = sregs->cr2;
+ 	mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
+-	vcpu->arch.cr3 = sregs->cr3;
++
++	down_read(&vcpu->kvm->slots_lock);
++	if (gfn_to_memslot(vcpu->kvm, sregs->cr3 >> PAGE_SHIFT))
++		vcpu->arch.cr3 = sregs->cr3;
++	else
++		set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
++	up_read(&vcpu->kvm->slots_lock);
+ 
+ 	kvm_set_cr8(vcpu, sregs->cr8);
+ 

Copied: dists/lenny/linux-2.6/debian/patches/series/17lenny1 (from r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/series/17lenny1)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/17lenny1	Thu Jul 30 17:31:59 2009	(r14052, copy of r14051, releases/linux-2.6/2.6.26-17lenny1/debian/patches/series/17lenny1)
@@ -0,0 +1,4 @@
++ bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
++ bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
++ bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
++ bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch

More information about the Kernel-svn-changes mailing list