Commit e8760714 authored by Dann Frazier's avatar Dann Frazier

merge in 2.6.18.dfsg.1-13etch2

svn path=/dists/etch/linux-2.6/; revision=9446
parents 55a42cc9 3cf4b478
......@@ -27,6 +27,31 @@ linux-2.6 (2.6.18.dfsg.1-14) UNRELEASED; urgency=high
-- dann frazier <dannf@debian.org> Wed, 29 Aug 2007 01:54:05 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
* bugfix/ipv4-fib_props-out-of-bounds.patch
[SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
and check for out of bounds condition in index provided by userspace
See CVE-2007-2172
* bugfix/cpuset_tasks-underflow.patch
[SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
local attackers to read sensitive kernel memory if the cpuset filesystem
is mounted.
See CVE-2007-2875
* bugfix/random-bound-check-ordering.patch
[SECURITY] Fix stack-based buffer overflow in the random number
generator
See CVE-2007-3105
* bugfix/cifs-fix-sign-settings.patch
[SECURITY] Fix overriding the server to force signing on caused by
checking the wrong gloal variable.
See CVE-2007-3843
* bugfix/aacraid-ioctl-perm-check.patch
[SECURITY] Require admin capabilities to issue ioctls to aacraid devices
See CVE-2007-4308
-- dann frazier <dannf@debian.org> Mon, 27 Aug 2007 23:29:31 -0600
linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
* Update abi reference files for ABI 5
......
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Mon, 23 Jul 2007 13:51:05 +0000 (+0100)
Subject: [SCSI] aacraid: Fix security hole
X-Git-Tag: v2.6.23-rc2~164^2~24
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f
[SCSI] aacraid: Fix security hole
On the SCSI layer ioctl path there is no implicit permissions check for
ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
however allows all sorts of very admin only things to be done so should
check.
Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: "Salyzyn, Mark" <mark_salyzyn@adaptec.com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
---
Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
--- linux-source-2.6.18.orig/drivers/scsi/aacraid/linit.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/drivers/scsi/aacraid/linit.c 2007-08-27 23:27:41.805986591 -0600
@@ -536,6 +536,8 @@ static int aac_cfg_open(struct inode *in
static int aac_cfg_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, unsigned long arg)
{
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
}
@@ -589,6 +591,8 @@ static int aac_compat_ioctl(struct scsi_
static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
{
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
}
#endif
From: Steve French <sfrench@us.ibm.com>
Date: Thu, 28 Jun 2007 18:41:42 +0000 (+0000)
Subject: [CIFS] Fix sign mount option and sign proc config setting
X-Git-Tag: v2.6.23-rc1~478^2~20
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=762e5ab77c803c819e45d054518a98efb70b0f60
[CIFS] Fix sign mount option and sign proc config setting
We were checking the wrong (old) global variable to determine
whether to override server and force signing on the SMB
connection.
Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/fs/cifs/cifs_debug.c linux-source-2.6.18/fs/cifs/cifs_debug.c
--- linux-source-2.6.18.orig/fs/cifs/cifs_debug.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/fs/cifs/cifs_debug.c 2007-08-27 23:12:40.666200121 -0600
@@ -895,90 +895,14 @@ security_flags_write(struct file *file,
}
/* flags look ok - update the global security flags for cifs module */
extended_security = flags;
+ if (extended_security & CIFSSEC_MUST_SIGN) {
+ /* requiring signing implies signing is allowed */
+ extended_security |= CIFSSEC_MAY_SIGN;
+ cFYI(1, ("packet signing now required"));
+ } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
+ cFYI(1, ("packet signing disabled"));
+ }
+ /* BB should we turn on MAY flags for other MUST options? */
return count;
}
-
-/* static int
-ntlmv2_enabled_read(char *page, char **start, off_t off,
- int count, int *eof, void *data)
-{
- int len;
-
- len = sprintf(page, "%d\n", ntlmv2_support);
-
- len -= off;
- *start = page + off;
-
- if (len > count)
- len = count;
- else
- *eof = 1;
-
- if (len < 0)
- len = 0;
-
- return len;
-}
-static int
-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
- unsigned long count, void *data)
-{
- char c;
- int rc;
-
- rc = get_user(c, buffer);
- if (rc)
- return rc;
- if (c == '0' || c == 'n' || c == 'N')
- ntlmv2_support = 0;
- else if (c == '1' || c == 'y' || c == 'Y')
- ntlmv2_support = 1;
- else if (c == '2')
- ntlmv2_support = 2;
-
- return count;
-}
-
-static int
-packet_signing_enabled_read(char *page, char **start, off_t off,
- int count, int *eof, void *data)
-{
- int len;
-
- len = sprintf(page, "%d\n", sign_CIFS_PDUs);
-
- len -= off;
- *start = page + off;
-
- if (len > count)
- len = count;
- else
- *eof = 1;
-
- if (len < 0)
- len = 0;
-
- return len;
-}
-static int
-packet_signing_enabled_write(struct file *file, const char __user *buffer,
- unsigned long count, void *data)
-{
- char c;
- int rc;
-
- rc = get_user(c, buffer);
- if (rc)
- return rc;
- if (c == '0' || c == 'n' || c == 'N')
- sign_CIFS_PDUs = 0;
- else if (c == '1' || c == 'y' || c == 'Y')
- sign_CIFS_PDUs = 1;
- else if (c == '2')
- sign_CIFS_PDUs = 2;
-
- return count;
-} */
-
-
#endif
diff -urpN linux-source-2.6.18.orig/fs/cifs/cifssmb.c linux-source-2.6.18/fs/cifs/cifssmb.c
--- linux-source-2.6.18.orig/fs/cifs/cifssmb.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/fs/cifs/cifssmb.c 2007-08-27 23:12:40.678200384 -0600
@@ -411,11 +411,11 @@ CIFSSMBNegotiate(unsigned int xid, struc
/* if any of auth flags (ie not sign or seal) are overriden use them */
if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
- secFlags = ses->overrideSecFlg;
+ secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */
else /* if override flags set only sign/seal OR them with global auth */
secFlags = extended_security | ses->overrideSecFlg;
- cFYI(1,("secFlags 0x%x",secFlags));
+ cFYI(1, ("secFlags 0x%x", secFlags));
pSMB->hdr.Mid = GetNextMid(server);
pSMB->hdr.Flags2 |= SMBFLG2_UNICODE;
@@ -582,22 +582,32 @@ CIFSSMBNegotiate(unsigned int xid, struc
#ifdef CONFIG_CIFS_WEAK_PW_HASH
signing_check:
#endif
- if(sign_CIFS_PDUs == FALSE) {
+ if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
+ /* MUST_SIGN already includes the MAY_SIGN FLAG
+ so if this is zero it means that signing is disabled */
+ cFYI(1, ("Signing disabled"));
if(server->secMode & SECMODE_SIGN_REQUIRED)
- cERROR(1,("Server requires "
- "/proc/fs/cifs/PacketSigningEnabled to be on"));
+ cERROR(1, ("Server requires "
+ "/proc/fs/cifs/PacketSigningEnabled "
+ "to be on"));
server->secMode &=
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
- } else if(sign_CIFS_PDUs == 1) {
+ } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
+ /* signing required */
+ cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
+ if ((server->secMode &
+ (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+ cERROR(1,
+ ("signing required but server lacks support"));
+ } else
+ server->secMode |= SECMODE_SIGN_REQUIRED;
+ } else {
+ /* signing optional ie CIFSSEC_MAY_SIGN */
if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
server->secMode &=
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
- } else if(sign_CIFS_PDUs == 2) {
- if((server->secMode &
- (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
- cERROR(1,("signing required but server lacks support"));
- }
}
+
neg_err_exit:
cifs_buf_release(pSMB);
From: Akinobu Mita <akinobu.mita@gmail.com>
Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
Subject: use simple_read_from_buffer in kernel/
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
use simple_read_from_buffer in kernel/
Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
/proc/config.gz.
Cc: Paul Jackson <pj@sgi.com>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c
--- linux-source-2.6.18.orig/kernel/configs.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/kernel/configs.c 2007-08-27 22:30:10.774211736 -0600
@@ -61,18 +61,9 @@ static ssize_t
ikconfig_read_current(struct file *file, char __user *buf,
size_t len, loff_t * offset)
{
- loff_t pos = *offset;
- ssize_t count;
-
- if (pos >= kernel_config_data_size)
- return 0;
-
- count = min(len, (size_t)(kernel_config_data_size - pos));
- if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
- return -EFAULT;
-
- *offset += count;
- return count;
+ return simple_read_from_buffer(buf, len, offset,
+ kernel_config_data + MAGIC_SIZE,
+ kernel_config_data_size);
}
static struct file_operations ikconfig_file_ops = {
diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c
--- linux-source-2.6.18.orig/kernel/cpuset.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/kernel/cpuset.c 2007-08-27 22:30:10.778211823 -0600
@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct
{
struct ctr_struct *ctr = file->private_data;
- if (*ppos + nbytes > ctr->bufsz)
- nbytes = ctr->bufsz - *ppos;
- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
- return -EFAULT;
- *ppos += nbytes;
- return nbytes;
+ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
}
static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
From: Thomas Graf <tgraf@suug.ch>
Date: Sun, 25 Mar 2007 03:32:54 +0000 (-0700)
Subject: [IPv4] fib: Fix out of bound access of fib_props[]
X-Git-Tag: v2.6.21~241^2~12
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e
[IPv4] fib: Fix out of bound access of fib_props[]
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>, heavily
based upon Tim Gardner's backport for Ubuntu:
http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=6e87288e83ac08e7154980795622efdafd49c9c8
--- linux-source-2.6.18.orig/net/ipv4/fib_semantics.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/net/ipv4/fib_semantics.c 2007-08-27 22:15:04.678316443 -0600
@@ -88,7 +88,7 @@ static const struct
{
int error;
u8 scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
{
.error = 0,
.scope = RT_SCOPE_NOWHERE,
@@ -662,6 +662,9 @@ fib_create_info(const struct rtmsg *r, s
u32 mp_alg = IP_MP_ALG_NONE;
#endif
+ if (r->rtm_type > RTN_MAX)
+ goto err_inval;
+
/* Fast check to catch the most weird cases */
if (fib_props[r->rtm_type].scope > r->rtm_scope)
goto err_inval;
From: Matt Mackall <mpm@selenic.com>
Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
Subject: random: fix bound check ordering (CVE-2007-3105)
X-Git-Tag: v2.6.23-rc1~259
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 7f52712..397c714 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
if (r->pull && r->entropy_count < nbytes * 8 &&
r->entropy_count < r->poolinfo->POOLBITS) {
- int bytes = max_t(int, random_read_wakeup_thresh / 8,
- min_t(int, nbytes, sizeof(tmp)));
+ /* If we're limited, always leave two wakeup worth's BITS */
int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+ int bytes = nbytes;
+
+ /* pull at least as many as BYTES as wakeup BITS */
+ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+ /* but never more than the buffer size */
+ bytes = min_t(int, bytes, sizeof(tmp));
DEBUG_ENT("going to reseed %s with %d bits "
"(%d of %d requested)\n",
+ bugfix/ipv4-fib_props-out-of-bounds.patch
+ bugfix/cpuset_tasks-underflow.patch
+ bugfix/random-bound-check-ordering.patch
+ bugfix/cifs-fix-sign-settings.patch
+ bugfix/aacraid-ioctl-perm-check.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment