[kernel] r17907 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Aug 11 18:15:26 UTC 2011
Author: jmm
Date: Thu Aug 11 18:15:23 2011
New Revision: 17907
Log:
CVE-2011-2208, CVE-2011-2209, CVE-2011-2210, CVE-2011-2211, CVE-2011-2213 for lenny
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Aug 11 06:12:26 2011 (r17906)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Aug 11 18:15:23 2011 (r17907)
@@ -1,7 +1,13 @@
linux-2.6 (2.6.26-26lenny4) UNRELEASED; urgency=high
+ [ dann frazier ]
* Fix regression in fix for CVE-2011-1768 (Closes: #633738)
+ [ Moritz Muehlenhoff ]
+ * Fix several Alpha vulnerabilities (CVE-2011-2208, CVE-2011-2209,
+ CVE-2011-2210, CVE-2011-2211)
+ * inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213)
+
-- dann frazier <dannf at debian.org> Thu, 21 Jul 2011 00:45:03 -0600
linux-2.6 (2.6.26-26lenny3) oldstable-security; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch Thu Aug 11 18:15:23 2011 (r17907)
@@ -0,0 +1,88 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 15 Jun 2011 22:09:01 +0000 (-0700)
+Subject: alpha: fix several security issues
+X-Git-Tag: v3.0-rc4~42
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21c5977a836e399fc710ff2c5367845ed5c2527f
+
+alpha: fix several security issues
+
+Fix several security issues in Alpha-specific syscalls. Untested, but
+mostly trivial.
+
+1. Signedness issue in osf_getdomainname allows copying out-of-bounds
+kernel memory to userland.
+
+2. Signedness issue in osf_sysinfo allows copying large amounts of
+kernel memory to userland.
+
+3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
+size, allowing copying large amounts of kernel memory to userland.
+
+4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
+privilege escalation via writing return value of sys_wait4 to kernel
+memory.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: Richard Henderson <rth at twiddle.net>
+Cc: Ivan Kokshaysky <ink at jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88 at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
+index 376f221..326f0a2 100644
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
+ return -EFAULT;
+
+ len = namelen;
+- if (namelen > 32)
++ if (len > 32)
+ len = 32;
+
+ down_read(&uts_sem);
+@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
+ down_read(&uts_sem);
+ res = sysinfo_table[offset];
+ len = strlen(res)+1;
+- if (len > count)
++ if ((unsigned long)len > (unsigned long)count)
+ len = count;
+ if (copy_to_user(buf, res, len))
+ err = -EFAULT;
+@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
+ return 1;
+
+ case GSI_GET_HWRPB:
+- if (nbytes < sizeof(*hwrpb))
++ if (nbytes > sizeof(*hwrpb))
+ return -EINVAL;
+ if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ return -EFAULT;
+@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
+ {
+ struct rusage r;
+ long ret, err;
++ unsigned int status = 0;
+ mm_segment_t old_fs;
+
+ if (!ur)
+@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
+ old_fs = get_fs();
+
+ set_fs (KERNEL_DS);
+- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++ ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++ (struct rusage __user *) &r);
+ set_fs (old_fs);
+
+ if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ return -EFAULT;
+
+ err = 0;
++ err |= put_user(status, ustatus);
+ err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch Thu Aug 11 18:15:23 2011 (r17907)
@@ -0,0 +1,72 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Fri, 17 Jun 2011 20:25:39 +0000 (-0400)
+Subject: inet_diag: fix inet_diag_bc_audit()
+X-Git-Tag: v3.0-rc4~5^2~8
+X-Git-Url: http://git.us.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d
+
+inet_diag: fix inet_diag_bc_audit()
+
+A malicious user or buggy application can inject code and trigger an
+infinite loop in inet_diag_bc_audit()
+
+Also make sure each instruction is aligned on 4 bytes boundary, to avoid
+unaligned accesses.
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 6ffe94c..3267d38 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
+ return 0;
+ if (cc == len)
+ return 1;
+- if (op->yes < 4)
++ if (op->yes < 4 || op->yes & 3)
+ return 0;
+ len -= op->yes;
+ bc += op->yes;
+@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
+
+ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ {
+- const unsigned char *bc = bytecode;
++ const void *bc = bytecode;
+ int len = bytecode_len;
+
+ while (len > 0) {
+- struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
++ const struct inet_diag_bc_op *op = bc;
+
+ //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
+ switch (op->code) {
+@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ case INET_DIAG_BC_S_LE:
+ case INET_DIAG_BC_D_GE:
+ case INET_DIAG_BC_D_LE:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ case INET_DIAG_BC_JMP:
+- if (op->no < 4 || op->no > len + 4)
++ if (op->no < 4 || op->no > len + 4 || op->no & 3)
+ return -EINVAL;
+ if (op->no < len &&
+ !valid_cc(bytecode, bytecode_len, len - op->no))
+ return -EINVAL;
+ break;
+ case INET_DIAG_BC_NOP:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
++ if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
++ return -EINVAL;
+ bc += op->yes;
+ len -= op->yes;
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Aug 11 06:12:26 2011 (r17906)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Aug 11 18:15:23 2011 (r17907)
@@ -1 +1,3 @@
+ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
++ bugfix/all/alpha-fix-several-security-issues.patch
++ bugfix/all/fix-inet_diag_bc_audit.patch
More information about the Kernel-svn-changes
mailing list