Commit 7dc0b95f authored by Dann Frazier's avatar Dann Frazier

* bugfix/ptrace-handle-bogus-selector.patch,

  bugfix/fixup-trace_irq-breakage.patch
  [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
  during ptrace single-step operations that can be used to trigger a
  NULL-pointer dereference causing an Oops.

svn path=/dists/etch-security/linux-2.6/; revision=9538
parent 3cf4b478
linux-2.6 (2.6.18.dfsg.1-13etch3) UNRELEASED; urgency=low
* bugfix/ptrace-handle-bogus-selector.patch,
bugfix/fixup-trace_irq-breakage.patch
[SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
during ptrace single-step operations that can be used to trigger a
NULL-pointer dereference causing an Oops.
-- dann frazier <dannf@debian.org> Thu, 20 Sep 2007 08:24:55 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
* bugfix/ipv4-fib_props-out-of-bounds.patch
......
From: Peter Zijlstra <peterz@infradead.org>
Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200)
Subject: i386: fixup TRACE_IRQ breakage
X-Git-Tag: v2.6.23-rc1~491
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f
i386: fixup TRACE_IRQ breakage
The TRACE_IRQS_ON function in iret_exc: calls a C function without
ensuring that the segments are set properly. Move the trace function and
the enabling of interrupt into the C stub.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/entry.S linux-source-2.6.18/arch/i386/kernel/entry.S
--- linux-source-2.6.18.orig/arch/i386/kernel/entry.S 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/entry.S 2007-09-19 23:53:22.929573806 -0600
@@ -384,8 +384,6 @@ restore_nocheck_notrace:
1: iret
.section .fixup,"ax"
iret_exc:
- TRACE_IRQS_ON
- sti
pushl $0 # no error code
pushl $do_iret_error
jmp error_code
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/traps.c linux-source-2.6.18/arch/i386/kernel/traps.c
--- linux-source-2.6.18.orig/arch/i386/kernel/traps.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/traps.c 2007-09-19 23:47:18.209575527 -0600
@@ -516,10 +516,12 @@ fastcall void do_##name(struct pt_regs *
do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
}
-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
+#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
fastcall void do_##name(struct pt_regs * regs, long error_code) \
{ \
siginfo_t info; \
+ if (irq) \
+ local_irq_enable(); \
info.si_signo = signr; \
info.si_errno = 0; \
info.si_code = sicode; \
@@ -559,13 +561,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
#endif
DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
+DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun)
DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
DO_ERROR(11, SIGBUS, "segment not present", segment_not_present)
DO_ERROR(12, SIGBUS, "stack segment", stack_segment)
-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
+DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
+DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
fastcall void __kprobes do_general_protection(struct pt_regs * regs,
long error_code)
From: Roland McGrath <roland@redhat.com>
Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700)
Subject: Handle bogus %cs selector in single-step instruction decoding
X-Git-Tag: v2.6.23-rc1~492
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8
Handle bogus %cs selector in single-step instruction decoding
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c linux-source-2.6.18/arch/i386/kernel/ptrace.c
--- linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/i386/kernel/ptrace.c 2007-09-19 23:45:45.949576125 -0600
@@ -172,14 +172,22 @@ static unsigned long convert_eip_to_line
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
return addr;
diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c 2007-09-19 23:45:45.953575027 -0600
@@ -103,16 +103,25 @@ unsigned long convert_rip_to_linear(stru
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
+
return addr;
}
+ bugfix/ptrace-handle-bogus-selector.patch
+ bugfix/fixup-trace_irq-breakage.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment