Re: Preparing the first security update for kernel-source-2.6.8

[Horms <horms@debian.org>]

On Wed, Jun 29, 2005 at 11:14:20AM +0900, Horms wrote:
> On Tue, Jun 28, 2005 at 10:36:15PM +0200, Frederik Schueler wrote:
> > Hello,
> > 
> > I would like to start preparing a seurity update for kernel-source-2.6.8
> > in sarge, wich released with version 2.6.8-16. 
> > 
> > In sarge-security we have an old 2.6.15sarge1 wich never got released.
> > 
> > Does anyone object if I update those sources to the revision in sarge,
> > and we start building 2.6.8-16sarge1 from it?
> > 
> > I already got some patches from the ubuntu 2.6.8 kernel package addressing 
> > the following 5 issues:
> > 
> > CAN-2005-0756
> > CAN-2005-1265
> > CAN-2005-1762
> > CAN-2005-1763
> > CAN-2005-1765
> > 
> > and these 3 still need to be addressed:
> > 
> > CAN-2005-1764
> > CAN-2005-0449 #295949
> > CAN-2005-0356 #310804
> > 
> > 
> > if nobody objects, I would like to commit my changes.

Dann, could you comment on the need for backporting the patch below
form 2.6.12.1. It does not apply cleanly to 2.6.8 as there
seem to have been a bunch of other patches in the mean time.


-- 
Horms


commit df0112ae92e768bda81105cff85d7c8e46004d7b
tree 98f262f17071a9ab1d1fa1ffa42085faaffb6b12
parent fe3d5c8793fcaf33c5d3118a7f3ffc135eadaf4d
author Matthew Chapman <matthewc@hp.com> 1119325981 -0700
committer Chris Wright <chrisw@osdl.org> 1119468770 -0700

[PATCH] ia64 ptrace + sigrestore_context (CAN-2005-1761)

This patch fixes handling of accesses to ar.rsc via ptrace &
restore_sigcontext

Signed-off-by: Matthew Chapman <matthewc@hp.com>
Acked-by: David Mosberger <davidm@hpl.hp.com>
Acked-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>

I:100644 100644 575a8f657b3129bacc8ec2979470ecc84c9b7b3f 6d57aebad485fd35db55c8ffbc9497fd6aba34b9 M	arch/ia64/kernel/ptrace.c
I:100644 100644 499b7e5317cf4f5ac3564ccf55bfdc5dc2829da5 edd9f07860b227a230ab981d1a8691a68bd01a7a M	arch/ia64/kernel/signal.c

Key:
S: Skipped
I: Included Included verbatim
D: Deleted  Manually deleted by subsequent user edit
R: Revised  Manually revised by subsequent user edit

diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -945,6 +945,13 @@ access_uarea (struct task_struct *child,
 				*data = (pt->cr_ipsr & IPSR_MASK);
 			return 0;
 
+		      case PT_AR_RSC:
+			if (write_access)
+				pt->ar_rsc = *data | (3 << 2); /* force PL3 */
+			else
+				*data = pt->ar_rsc;
+			return 0;
+
 		      case PT_AR_RNAT:
 			urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
 			rnat_addr = (long) ia64_rse_rnat_addr((long *)
@@ -996,9 +1003,6 @@ access_uarea (struct task_struct *child,
 		      case PT_AR_BSPSTORE:
 			ptr = pt_reg_addr(pt, ar_bspstore);
 			break;
-		      case PT_AR_RSC:
-			ptr = pt_reg_addr(pt, ar_rsc);
-			break;
 		      case PT_AR_UNAT:
 			ptr = pt_reg_addr(pt, ar_unat);
 			break;
@@ -1234,7 +1238,7 @@ ptrace_getregs (struct task_struct *chil
 static long
 ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
 {
-	unsigned long psr, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
+	unsigned long psr, rsc, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
 	struct unw_frame_info info;
 	struct switch_stack *sw;
 	struct ia64_fpreg fpval;
@@ -1267,7 +1271,7 @@ ptrace_setregs (struct task_struct *chil
 	/* app regs */
 
 	retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
-	retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
+	retval |= __get_user(rsc, &ppr->ar[PT_AUR_RSC]);
 	retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
 	retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
 	retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
@@ -1365,6 +1369,7 @@ ptrace_setregs (struct task_struct *chil
 	retval |= __get_user(nat_bits, &ppr->nat);
 
 	retval |= access_uarea(child, PT_CR_IPSR, &psr, 1);
+	retval |= access_uarea(child, PT_AR_RSC, &rsc, 1);
 	retval |= access_uarea(child, PT_AR_EC, &ec, 1);
 	retval |= access_uarea(child, PT_AR_LC, &lc, 1);
 	retval |= access_uarea(child, PT_AR_RNAT, &rnat, 1);
diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -94,7 +94,7 @@ sys_sigaltstack (const stack_t __user *u
 static long
 restore_sigcontext (struct sigcontext __user *sc, struct sigscratch *scr)
 {
-	unsigned long ip, flags, nat, um, cfm;
+	unsigned long ip, flags, nat, um, cfm, rsc;
 	long err;
 
 	/* Always make any pending restarted system calls return -EINTR */
@@ -106,7 +106,7 @@ restore_sigcontext (struct sigcontext __
 	err |= __get_user(ip, &sc->sc_ip);			/* instruction pointer */
 	err |= __get_user(cfm, &sc->sc_cfm);
 	err |= __get_user(um, &sc->sc_um);			/* user mask */
-	err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
+	err |= __get_user(rsc, &sc->sc_ar_rsc);
 	err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
 	err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
 	err |= __get_user(scr->pt.ar_pfs, &sc->sc_ar_pfs);
@@ -119,6 +119,7 @@ restore_sigcontext (struct sigcontext __
 	err |= __copy_from_user(&scr->pt.r15, &sc->sc_gr[15], 8);	/* r15 */
 
 	scr->pt.cr_ifs = cfm | (1UL << 63);
+	scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
 
 	/* establish new instruction pointer: */
 	scr->pt.cr_iip = ip & ~0x3UL;