Commit 2ee55fca authored by Dann Frazier's avatar Dann Frazier

* Merge in changes from 2.6.18.dfsg.1-13etch3.

* bugfix/ptrace-handle-bogus-selector.patch,
  bugfix/fixup-trace_irq-breakage.patch
  [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
  during ptrace single-step operations that can be used to trigger a
  NULL-pointer dereference causing an Oops.
  See CVE-2007-3731
* bugfix/prevent-stack-growth-into-hugetlb-region.patch
  [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
  into address space reserved for hugetlb pages.
  See CVE-2007-3739
* bugfix/cifs-honor-umask.patch
  [SECURITY] Make CIFS honor a process' umask
  See CVE-2007-3740
* bugfix/amd64-zero-extend-32bit-ptrace.patch
  [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
  See CVE-2007-4573
* bugfix/jffs2-ACL-vs-mode-handling.patch
  [SECURITY] Write correct legacy modes to the medium on inode creation to
  prevent incorrect permissions upon remount.
  See CVE-2007-4849

svn path=/dists/etch/linux-2.6/; revision=9566
parents 1608e935 da05efa5
linux-2.6 (2.6.18.dfsg.1-15) stable; urgency=high
* Merge in changes from 2.6.18.dfsg.1-13etch3.
-- dann frazier <dannf@debian.org> Tue, 25 Sep 2007 22:33:15 -0600
linux-2.6 (2.6.18.dfsg.1-14) stable; urgency=high
[ dann frazier ]
......@@ -29,6 +35,31 @@ linux-2.6 (2.6.18.dfsg.1-14) stable; urgency=high
-- dann frazier <dannf@debian.org> Mon, 17 Sep 2007 16:56:07 -0600
linux-2.6 (2.6.18.dfsg.1-13etch3) stable-security; urgency=high
* bugfix/ptrace-handle-bogus-selector.patch,
bugfix/fixup-trace_irq-breakage.patch
[SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
during ptrace single-step operations that can be used to trigger a
NULL-pointer dereference causing an Oops.
See CVE-2007-3731
* bugfix/prevent-stack-growth-into-hugetlb-region.patch
[SECURITY] Prevent OOPS during stack expansion when the VMA crosses
into address space reserved for hugetlb pages.
See CVE-2007-3739
* bugfix/cifs-honor-umask.patch
[SECURITY] Make CIFS honor a process' umask
See CVE-2007-3740
* bugfix/amd64-zero-extend-32bit-ptrace.patch
[SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
See CVE-2007-4573
* bugfix/jffs2-ACL-vs-mode-handling.patch
[SECURITY] Write correct legacy modes to the medium on inode creation to
prevent incorrect permissions upon remount.
See CVE-2007-4849
-- dann frazier <dannf@debian.org> Tue, 25 Sep 2007 22:33:15 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
* bugfix/ipv4-fib_props-out-of-bounds.patch
......
From: Andi Kleen <ak@suse.de>
Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200)
Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path.
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567
x86_64: Zero extend all registers after ptrace in 32bit entry path.
Strictly it's only needed for eax.
It actually does a little more than strictly needed -- the other registers
are already zero extended.
Also remove the now unnecessary and non functional compat task check
in ptrace.
This is CVE-2007-4573
Found by Wojciech Purczynski
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S
--- linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S 2007-09-25 00:10:16.089100799 -0600
@@ -38,6 +38,18 @@
movq %rax,R8(%rsp)
.endm
+ .macro LOAD_ARGS32 offset
+ movl \offset(%rsp),%r11d
+ movl \offset+8(%rsp),%r10d
+ movl \offset+16(%rsp),%r9d
+ movl \offset+24(%rsp),%r8d
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+ movl \offset+64(%rsp),%edi
+ movl \offset+72(%rsp),%eax
+ .endm
+
.macro CFI_STARTPROC32 simple
CFI_STARTPROC \simple
CFI_UNDEFINED r8
@@ -151,7 +163,7 @@ sysenter_tracesys:
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl %ebp, %ebp
/* no need to do an access_ok check here because rbp has been
@@ -253,7 +265,7 @@ cstar_tracesys:
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl RSP-ARGOFFSET(%rsp), %r8d
/* no need to do an access_ok check here because r8 has been
@@ -330,7 +342,7 @@ ia32_tracesys:
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
jmp ia32_do_syscall
END(ia32_syscall)
diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c 2007-09-25 00:10:16.089100799 -0600
@@ -223,10 +223,6 @@ static int putreg(struct task_struct *ch
{
unsigned long tmp;
- /* Some code in the 64bit emulation may not be 64bit clean.
- Don't take any chances. */
- if (test_tsk_thread_flag(child, TIF_IA32))
- value &= 0xffffffff;
switch (regno) {
case offsetof(struct user_regs_struct,fs):
if (value && (value & 3) != 3)
From: Steve French <sfrench@us.ibm.com>
Date: Fri, 8 Jun 2007 14:55:14 +0000 (+0000)
Subject: [CIFS] CIFS should honour umask
X-Git-Tag: v2.6.22-rc5~50^2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f
[CIFS] CIFS should honour umask
This patch makes CIFS honour a process' umask like other filesystems.
Of course the server is still free to munge the permissions if it wants
to; but the client will send the "right" permissions to begin with.
A few caveats:
1) It only applies to filesystems that have CAP_UNIX (aka support unix
extensions)
2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
after remote creation
When mode to CIFS/NTFS ACL mapping is complete we can do the
same thing for that case for servers which do not
support the Unix Extensions.
Signed-off-by: Matt Keenen <matt@opcode-solutions.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/fs/cifs/dir.c linux-source-2.6.18/fs/cifs/dir.c
--- linux-source-2.6.18.orig/fs/cifs/dir.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/fs/cifs/dir.c 2007-09-24 22:49:29.509100350 -0600
@@ -199,7 +199,8 @@ cifs_create(struct inode *inode, struct
/* If Open reported that we actually created a file
then we now have to set the mode if possible */
if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) &&
- (oplock & CIFS_CREATE_ACTION))
+ (oplock & CIFS_CREATE_ACTION)) {
+ mode &= ~current->fs->umask;
if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
(__u64)current->fsuid,
@@ -217,7 +218,7 @@ cifs_create(struct inode *inode, struct
cifs_sb->mnt_cifs_flags &
CIFS_MOUNT_MAP_SPECIAL_CHR);
}
- else {
+ } else {
/* BB implement mode setting via Windows security descriptors */
/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
/* could set r/o dos attribute if mode & 0222 == 0 */
@@ -325,6 +326,7 @@ int cifs_mknod(struct inode *inode, stru
if(full_path == NULL)
rc = -ENOMEM;
else if (pTcon->ses->capabilities & CAP_UNIX) {
+ mode &= ~current->fs->umask;
if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path,
mode,(__u64)current->fsuid,(__u64)current->fsgid,
diff -urpN linux-source-2.6.18.orig/fs/cifs/inode.c linux-source-2.6.18/fs/cifs/inode.c
--- linux-source-2.6.18.orig/fs/cifs/inode.c 2007-09-18 16:46:11.000000000 -0600
+++ linux-source-2.6.18/fs/cifs/inode.c 2007-09-24 22:50:34.825099389 -0600
@@ -751,7 +751,8 @@ int cifs_mkdir(struct inode *inode, stru
d_instantiate(direntry, newinode);
if (direntry->d_inode)
direntry->d_inode->i_nlink = 2;
- if (cifs_sb->tcon->ses->capabilities & CAP_UNIX)
+ if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) {
+ mode &= ~current->fs->umask;
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
CIFSSMBUnixSetPerms(xid, pTcon, full_path,
mode,
@@ -769,7 +770,7 @@ int cifs_mkdir(struct inode *inode, stru
cifs_sb->mnt_cifs_flags &
CIFS_MOUNT_MAP_SPECIAL_CHR);
}
- else {
+ } else {
/* BB to be implemented via Windows secrty descriptors
eg CIFSSMBWinSetPerms(xid, pTcon, full_path, mode,
-1, -1, local_nls); */
From: Peter Zijlstra <peterz@infradead.org>
Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200)
Subject: i386: fixup TRACE_IRQ breakage
X-Git-Tag: v2.6.23-rc1~491
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f
i386: fixup TRACE_IRQ breakage
The TRACE_IRQS_ON function in iret_exc: calls a C function without
ensuring that the segments are set properly. Move the trace function and
the enabling of interrupt into the C stub.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/entry.S linux-source-2.6.18/arch/i386/kernel/entry.S
--- linux-source-2.6.18.orig/arch/i386/kernel/entry.S 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/entry.S 2007-09-19 23:53:22.929573806 -0600
@@ -384,8 +384,6 @@ restore_nocheck_notrace:
1: iret
.section .fixup,"ax"
iret_exc:
- TRACE_IRQS_ON
- sti
pushl $0 # no error code
pushl $do_iret_error
jmp error_code
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/traps.c linux-source-2.6.18/arch/i386/kernel/traps.c
--- linux-source-2.6.18.orig/arch/i386/kernel/traps.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/traps.c 2007-09-19 23:47:18.209575527 -0600
@@ -516,10 +516,12 @@ fastcall void do_##name(struct pt_regs *
do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
}
-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
+#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
fastcall void do_##name(struct pt_regs * regs, long error_code) \
{ \
siginfo_t info; \
+ if (irq) \
+ local_irq_enable(); \
info.si_signo = signr; \
info.si_errno = 0; \
info.si_code = sicode; \
@@ -559,13 +561,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
#endif
DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
+DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun)
DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
DO_ERROR(11, SIGBUS, "segment not present", segment_not_present)
DO_ERROR(12, SIGBUS, "stack segment", stack_segment)
-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
+DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
+DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
fastcall void __kprobes do_general_protection(struct pt_regs * regs,
long error_code)
This diff is collapsed.
From: Adam Litke <agl@us.ibm.com>
Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
X-Git-Tag: v2.6.20-rc7~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
[PATCH] Don't allow the stack to grow into hugetlb reserved regions
When expanding the stack, we don't currently check if the VMA will cross
into an area of the address space that is reserved for hugetlb pages.
Subsequent faults on the expanded portion of such a VMA will confuse the
low-level MMU code, resulting in an OOPS. Check for this.
Signed-off-by: Adam Litke <agl@us.ibm.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: William Lee Irwin III <wli@holomorphy.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/mm/mmap.c b/mm/mmap.c
index 9717337..cc3a208 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1477,6 +1477,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
{
struct mm_struct *mm = vma->vm_mm;
struct rlimit *rlim = current->signal->rlim;
+ unsigned long new_start;
/* address space limit tests */
if (!may_expand_vm(mm, grow))
@@ -1496,6 +1497,12 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
return -ENOMEM;
}
+ /* Check to ensure the stack will not grow into a hugetlb-only region */
+ new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
+ vma->vm_end - size;
+ if (is_hugepage_only_range(vma->vm_mm, new_start, size))
+ return -EFAULT;
+
/*
* Overcommit.. This must be the final test, as it will
* update security statistics.
From: Roland McGrath <roland@redhat.com>
Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700)
Subject: Handle bogus %cs selector in single-step instruction decoding
X-Git-Tag: v2.6.23-rc1~492
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8
Handle bogus %cs selector in single-step instruction decoding
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c linux-source-2.6.18/arch/i386/kernel/ptrace.c
--- linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/ptrace.c 2007-09-19 23:45:45.949576125 -0600
@@ -172,14 +172,22 @@ static unsigned long convert_eip_to_line
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
return addr;
diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c 2007-09-19 23:45:45.953575027 -0600
@@ -103,16 +103,25 @@ unsigned long convert_rip_to_linear(stru
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
+
return addr;
}
+ bugfix/ptrace-handle-bogus-selector.patch
+ bugfix/fixup-trace_irq-breakage.patch
+ bugfix/prevent-stack-growth-into-hugetlb-region.patch
+ bugfix/cifs-honor-umask.patch
+ bugfix/amd64-zero-extend-32bit-ptrace.patch
+ bugfix/jffs2-ACL-vs-mode-handling.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment