[kernel] r14955 - in dists/etch/linux-2.6/debian: . patches/bugfix/all/CVE-2009-0029 patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 19 16:33:16 UTC 2010
Author: dannf
Date: Tue Jan 19 16:33:01 2010
New Revision: 14955
Log:
[s390] Revert syscall wrapping of execve() - 2.6.18 still
has some in-kernel callers which bollocks up pt_regs.
(Closes: #562525)
Added:
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0044post1-s390-unwrap-execve.patch
dists/etch/linux-2.6/debian/patches/series/27
Modified:
dists/etch/linux-2.6/debian/changelog
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog Mon Jan 18 22:59:25 2010 (r14954)
+++ dists/etch/linux-2.6/debian/changelog Tue Jan 19 16:33:01 2010 (r14955)
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.18.dfsg.1-27) UNRELEASED; urgency=low
+
+ * [s390] Revert syscall wrapping of execve() - 2.6.18 still
+ has some in-kernel callers which bollocks up pt_regs.
+ (Closes: #562525)
+
+ -- dann frazier <dannf at debian.org> Mon, 18 Jan 2010 22:52:10 -0700
+
linux-2.6 (2.6.18.dfsg.1-26etch1) oldstable-security; urgency=high
* [s390] Fix missing capability check in z90crypt driver (CVE-2009-1883)
Added: dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0044post1-s390-unwrap-execve.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0044post1-s390-unwrap-execve.patch Tue Jan 19 16:33:01 2010 (r14955)
@@ -0,0 +1,200 @@
+diff -urpN -x'#*' linux-source-2.6.18.orig/arch/s390/kernel/entry64.S linux-source-2.6.18/arch/s390/kernel/entry64.S
+--- linux-source-2.6.18.orig/arch/s390/kernel/entry64.S 2009-11-05 03:47:12.000000000 +0000
++++ linux-source-2.6.18/arch/s390/kernel/entry64.S 2010-01-19 06:19:21.000000000 +0000
+@@ -369,36 +369,24 @@ ret_from_fork:
+ stosm 24(%r15),0x03 # reenable interrupts
+ j sysc_return
+
+-#
+-# kernel_execve function needs to deal with pt_regs that is not
+-# at the usual place
+-#
+- .globl kernel_execve
+-kernel_execve:
+- stmg %r12,%r15,96(%r15)
+- lgr %r14,%r15
+- aghi %r15,-SP_SIZE
+- stg %r14,__SF_BACKCHAIN(%r15)
+- la %r12,SP_PTREGS(%r15)
+- xc 0(__PT_SIZE,%r12),0(%r12)
+- lgr %r5,%r12
+- brasl %r14,do_execve
+- ltgfr %r2,%r2
+- je 0f
+- aghi %r15,SP_SIZE
+- lmg %r12,%r15,96(%r15)
+- br %r14
+- # execve succeeded.
+-0: stnsm __SF_EMPTY(%r15),0xfc # disable interrupts
+- lg %r15,__LC_KERNEL_STACK # load ksp
+- aghi %r15,-SP_SIZE # make room for registers & psw
+- lg %r13,__LC_SVC_NEW_PSW+8
+- lg %r9,__LC_THREAD_INFO
+- mvc SP_PTREGS(__PT_SIZE,%r15),0(%r12) # copy pt_regs
+- xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
+- stosm __SF_EMPTY(%r15),0x03 # reenable interrupts
+- brasl %r14,execve_tail
+- j sysc_return
++sys_execve_glue:
++ la %r2,SP_PTREGS(%r15) # load pt_regs
++ lgr %r12,%r14 # save return address
++ brasl %r14,sys_execve # call sys_execve
++ ltgr %r2,%r2 # check if execve failed
++ bnz 0(%r12) # it did fail -> store result in gpr2
++ b 6(%r12) # SKIP STG 2,SP_R2(15) in
++ # system_call/sysc_tracesys
++#ifdef CONFIG_COMPAT
++sys32_execve_glue:
++ la %r2,SP_PTREGS(%r15) # load pt_regs
++ lgr %r12,%r14 # save return address
++ brasl %r14,sys32_execve # call sys32_execve
++ ltgr %r2,%r2 # check if execve failed
++ bnz 0(%r12) # it did fail -> store result in gpr2
++ b 6(%r12) # SKIP STG 2,SP_R2(15) in
++ # system_call/sysc_tracesys
++#endif
+
+ /*
+ * Program check handler routine
+diff -urpN -x'#*' linux-source-2.6.18.orig/arch/s390/kernel/entry.S linux-source-2.6.18/arch/s390/kernel/entry.S
+--- linux-source-2.6.18.orig/arch/s390/kernel/entry.S 2009-11-05 03:47:12.000000000 +0000
++++ linux-source-2.6.18/arch/s390/kernel/entry.S 2010-01-19 06:52:42.000000000 +0000
+@@ -378,39 +378,15 @@ ret_from_fork:
+ stosm __SF_EMPTY(%r15),0x03 # reenable interrupts
+ b BASED(sysc_return)
+
+-#
+-# kernel_execve function needs to deal with pt_regs that is not
+-# at the usual place
+-#
+- .globl kernel_execve
+-kernel_execve:
+- stm %r12,%r15,48(%r15)
+- lr %r14,%r15
+- l %r13,__LC_SVC_NEW_PSW+4
+- s %r15,BASED(.Lc_spsize)
+- st %r14,__SF_BACKCHAIN(%r15)
+- la %r12,SP_PTREGS(%r15)
+- xc 0(__PT_SIZE,%r12),0(%r12)
+- l %r1,BASED(.Ldo_execve)
+- lr %r5,%r12
+- basr %r14,%r1
+- ltr %r2,%r2
+- be BASED(0f)
+- a %r15,BASED(.Lc_spsize)
+- lm %r12,%r15,48(%r15)
+- br %r14
+- # execve succeeded.
+-0: stnsm __SF_EMPTY(%r15),0xfc # disable interrupts
+- l %r15,__LC_KERNEL_STACK # load ksp
+- s %r15,BASED(.Lc_spsize) # make room for registers & psw
+- l %r9,__LC_THREAD_INFO
+- mvc SP_PTREGS(__PT_SIZE,%r15),0(%r12) # copy pt_regs
+- xc __SF_BACKCHAIN(4,%r15),__SF_BACKCHAIN(%r15)
+- stosm __SF_EMPTY(%r15),0x03 # reenable interrupts
+- l %r1,BASED(.Lexecve_tail)
+- basr %r14,%r1
+- b BASED(sysc_return)
+-
++sys_execve_glue:
++ la %r2,SP_PTREGS(%r15) # load pt_regs
++ l %r1,BASED(.Lexecve)
++ lr %r12,%r14 # save return address
++ basr %r14,%r1 # call sys_execve
++ ltr %r2,%r2 # check if execve failed
++ bnz 0(%r12) # it did fail -> store result in gpr2
++ b 4(%r12) # SKIP ST 2,SP_R2(15) after BASR 14,8
++ # in system_call/sysc_tracesys
+
+ /*
+ * Program check handler routine
+@@ -1005,10 +981,9 @@ cleanup_io_leave_insn:
+ .Ldo_extint: .long do_extint
+ .Ldo_signal: .long do_signal
+ .Lhandle_per: .long do_single_step
+-.Ldo_execve: .long do_execve
+-.Lexecve_tail: .long execve_tail
+ .Ljump_table: .long pgm_check_table
+ .Lschedule: .long schedule
++.Lexecve: .long sys_execve
+ .Ltrace: .long syscall_trace
+ .Lschedtail: .long schedule_tail
+ .Lsysc_table: .long sys_call_table
+diff -urpN -x'#*' linux-source-2.6.18.orig/arch/s390/kernel/process.c linux-source-2.6.18/arch/s390/kernel/process.c
+--- linux-source-2.6.18.orig/arch/s390/kernel/process.c 2009-11-05 03:47:12.000000000 +0000
++++ linux-source-2.6.18/arch/s390/kernel/process.c 2010-01-19 07:08:48.000000000 +0000
+@@ -319,43 +319,31 @@ SYSCALL_DEFINE0(vfork)
+ regs->gprs[15], regs, 0, NULL, NULL);
+ }
+
+-asmlinkage void execve_tail(void)
+-{
+- task_lock(current);
+- current->ptrace &= ~PT_DTRACE;
+- task_unlock(current);
+- current->thread.fp_regs.fpc = 0;
+- if (MACHINE_HAS_IEEE)
+- asm volatile("sfpc %0,%0" : : "d" (0));
+-}
+-
+ /*
+ * sys_execve() executes a new program.
+ */
+-SYSCALL_DEFINE0(execve)
++asmlinkage long sys_execve(struct pt_regs regs)
+ {
+- struct pt_regs *regs = task_pt_regs(current);
+- char *filename;
+- unsigned long result;
+- int rc;
+-
+- filename = getname((char __user *) regs->orig_gpr2);
+- if (IS_ERR(filename)) {
+- result = PTR_ERR(filename);
+- goto out;
+- }
+- rc = do_execve(filename, (char __user * __user *) regs->gprs[3],
+- (char __user * __user *) regs->gprs[4], regs);
+- if (rc) {
+- result = rc;
+- goto out_putname;
++ int error;
++ char * filename;
++
++ filename = getname((char __user *) regs.orig_gpr2);
++ error = PTR_ERR(filename);
++ if (IS_ERR(filename))
++ goto out;
++ error = do_execve(filename, (char __user * __user *) regs.gprs[3],
++ (char __user * __user *) regs.gprs[4], ®s);
++ if (error == 0) {
++ task_lock(current);
++ current->ptrace &= ~PT_DTRACE;
++ task_unlock(current);
++ current->thread.fp_regs.fpc = 0;
++ if (MACHINE_HAS_IEEE)
++ asm volatile("sfpc %0,%0" : : "d" (0));
+ }
+- execve_tail();
+- result = regs->gprs[2];
+-out_putname:
+- putname(filename);
++ putname(filename);
+ out:
+- return result;
++ return error;
+ }
+
+ /*
+diff -urpN -x'#*' linux-source-2.6.18.orig/arch/s390/kernel/syscalls.S linux-source-2.6.18/arch/s390/kernel/syscalls.S
+--- linux-source-2.6.18.orig/arch/s390/kernel/syscalls.S 2009-11-05 03:47:12.000000000 +0000
++++ linux-source-2.6.18/arch/s390/kernel/syscalls.S 2010-01-19 07:08:48.000000000 +0000
+@@ -19,7 +19,7 @@ SYSCALL(sys_restart_syscall,sys_restart_
+ SYSCALL(sys_creat,sys_creat,sys32_creat_wrapper)
+ SYSCALL(sys_link,sys_link,sys32_link_wrapper)
+ SYSCALL(sys_unlink,sys_unlink,sys32_unlink_wrapper) /* 10 */
+-SYSCALL(sys_execve,sys_execve,sys32_execve)
++SYSCALL(sys_execve_glue,sys_execve_glue,sys32_execve_glue)
+ SYSCALL(sys_chdir,sys_chdir,sys32_chdir_wrapper)
+ SYSCALL(sys_time,sys_ni_syscall,sys32_time_wrapper) /* old time syscall */
+ SYSCALL(sys_mknod,sys_mknod,sys32_mknod_wrapper)
Added: dists/etch/linux-2.6/debian/patches/series/27
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/series/27 Tue Jan 19 16:33:01 2010 (r14955)
@@ -0,0 +1 @@
++ bugfix/all/CVE-2009-0029/0044post1-s390-unwrap-execve.patch
More information about the Kernel-svn-changes
mailing list