Bug#285563: marked as done (kernel-source-2.4.27: drm locking fix missing in 2.4 kernels)
Your message dated Thu, 20 Jan 2005 23:17:45 -0500
with message-id <E1CrqEz-00027a-00@newraff.debian.org>
and subject line Bug#285563: fixed in kernel-source-2.4.27 2.4.27-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Dec 2004 06:31:51 +0000
>From dannf@hp.com Mon Dec 13 22:31:51 2004
Return-path: <dannf@hp.com>
Received: from atlrel6.hp.com [156.153.255.205]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Ce6Dv-0000DV-00; Mon, 13 Dec 2004 22:31:51 -0800
Received: from smtp2.fc.hp.com (smtp.fc.hp.com [15.15.136.253])
by atlrel6.hp.com (Postfix) with ESMTP id 89DD5C72E
for <submit@bugs.debian.org>; Tue, 14 Dec 2004 01:31:50 -0500 (EST)
Received: from ldl.fc.hp.com (ldl.fc.hp.com [15.11.146.30])
by smtp2.fc.hp.com (Postfix) with ESMTP
id 09E2541DF4B; Mon, 13 Dec 2004 23:31:49 -0700 (MST)
Received: from localhost (localhost [127.0.0.1])
by ldl.fc.hp.com (Postfix) with ESMTP id B8FA31341E2;
Mon, 13 Dec 2004 23:31:48 -0700 (MST)
Received: from ldl.fc.hp.com ([127.0.0.1])
by localhost (ldl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 23124-03; Mon, 13 Dec 2004 23:31:47 -0700 (MST)
Received: from krebs (krebs.dannf [10.8.0.7])
by ldl.fc.hp.com (Postfix) with ESMTP id D62E61341DF;
Mon, 13 Dec 2004 23:31:47 -0700 (MST)
Received: by krebs (Postfix, from userid 20800)
id 8705F3B626C; Mon, 13 Dec 2004 23:33:09 -0700 (MST)
Content-Type: multipart/mixed; boundary="===============1837287680827107496=="
MIME-Version: 1.0
From: dann frazier <dannf@hp.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-source-2.4.27: drm locking fix missing in 2.4 kernels
X-Mailer: reportbug 3.4
Date: Mon, 13 Dec 2004 23:33:09 -0700
Message-Id: <20041214063309.8705F3B626C@krebs>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at ldl.fc.hp.com
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1837287680827107496==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: kernel
Version: 2.4.27-6
Severity: important
The fix for CAN-2004-1056, added in 2.6.8-11, also applies to 2.4 - however,
I don't think it will compile, because 2.4 doesn't define the
LOCK_TEST_WITH_RETURN() in drmP.h.
from 2.6.8's changelog:
* [SECURITY] Fix insufficient locking checks in DRM code;
CAN-2004-1056 (Fabio M. Di Nitto).
I've attached a backport of the patch from 2.6 w/ this macro missing.
Sorry for being lazy and not fixing it myself - I don't have time to look at
it now, but I also didn't want us to collectively forget about it.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: ia64
Kernel: Linux 2.6.9-1-mckinley
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages kernel-source-2.4.27 depends on:
ii binutils 2.15.90.0.3-0dannf1 The GNU assembler, linker and bina
ii bzip2 1.0.2-2 high-quality block-sorting file co
ii coreutils [fileutils 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
-- no debconf information
--===============1837287680827107496==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="drm-locking-checks-2.4.27.patch"
diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c kernel-source-2.4.27/drivers/char/drm/i810_dma.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c 2004-12-01 03:07:54.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i810_dma.c 2004-12-13 22:18:50.404864367 -0700
@@ -952,10 +952,7 @@
drm_file_t *priv = filp->private_data;
drm_device_t *dev = priv->dev;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_flush_ioctl called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
i810_flush_queue(dev);
return 0;
@@ -977,10 +974,7 @@
if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_dma_vertex called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
@@ -1008,10 +1002,7 @@
if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_clear_bufs called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
/* GH: Someone's doing nasty things... */
if (!dev->dev_private) {
@@ -1030,10 +1021,8 @@
drm_file_t *priv = filp->private_data;
drm_device_t *dev = priv->dev;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_swap_buf called without lock held\n");
- return -EINVAL;
- }
+
+ LOCK_TEST_WITH_RETURN( dev, filp );
i810_dma_dispatch_swap( dev );
return 0;
@@ -1068,10 +1057,7 @@
if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_dma called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
d.granted = 0;
@@ -1179,10 +1165,7 @@
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_dma_mc called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
mc.last_render );
@@ -1227,10 +1210,7 @@
drm_device_t *dev = priv->dev;
drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_fstatus called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
return I810_READ(0x30008);
}
@@ -1241,10 +1221,7 @@
drm_device_t *dev = priv->dev;
drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i810_ov0_flip called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
//Tell the overlay to update
I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c kernel-source-2.4.27/drivers/char/drm/i830_dma.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c 2004-02-18 06:36:31.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i830_dma.c 2004-12-13 22:15:53.955647778 -0700
@@ -1330,10 +1330,7 @@
drm_file_t *priv = filp->private_data;
drm_device_t *dev = priv->dev;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_flush_ioctl called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
i830_flush_queue(dev);
return 0;
@@ -1354,10 +1351,7 @@
if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_dma_vertex called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
vertex.idx, vertex.used, vertex.discard);
@@ -1384,10 +1378,7 @@
if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_clear_bufs called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
/* GH: Someone's doing nasty things... */
if (!dev->dev_private) {
@@ -1409,10 +1400,7 @@
DRM_DEBUG("i830_swap_bufs\n");
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_swap_buf called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
i830_dma_dispatch_swap( dev );
return 0;
@@ -1453,10 +1441,7 @@
DRM_DEBUG("%s\n", __FUNCTION__);
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_flip_buf called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
if (!dev_priv->page_flipping)
i830_do_init_pageflip( dev );
@@ -1495,10 +1480,7 @@
if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
return -EFAULT;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_dma called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
d.granted = 0;
diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c kernel-source-2.4.27/drivers/char/drm/i830_irq.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c 2003-11-28 11:26:20.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i830_irq.c 2004-12-13 22:15:53.965413403 -0700
@@ -130,10 +130,7 @@
drm_i830_irq_emit_t emit;
int result;
- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
- DRM_ERROR("i830_irq_emit called without lock held\n");
- return -EINVAL;
- }
+ LOCK_TEST_WITH_RETURN( dev, filp );
if ( !dev_priv ) {
DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
--===============1837287680827107496==--
---------------------------------------
Received: (at 285563-close) by bugs.debian.org; 21 Jan 2005 04:23:06 +0000
>From katie@ftp-master.debian.org Thu Jan 20 20:23:06 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrqKA-0001HH-00; Thu, 20 Jan 2005 20:23:06 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CrqEz-00027a-00; Thu, 20 Jan 2005 23:17:45 -0500
From: Simon Horman <horms@debian.org>
To: 285563-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#285563: fixed in kernel-source-2.4.27 2.4.27-8
Message-Id: <E1CrqEz-00027a-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 20 Jan 2005 23:17:45 -0500
Delivered-To: 285563-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: kernel-source-2.4.27
Source-Version: 2.4.27-8
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.4.27, which is due to be installed in the Debian FTP archive:
kernel-doc-2.4.27_2.4.27-8_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-8_all.deb
kernel-patch-debian-2.4.27_2.4.27-8_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-8_all.deb
kernel-source-2.4.27_2.4.27-8.diff.gz
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-8.diff.gz
kernel-source-2.4.27_2.4.27-8.dsc
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-8.dsc
kernel-source-2.4.27_2.4.27-8_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-8_all.deb
kernel-tree-2.4.27_2.4.27-8_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 285563@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.4.27 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Jan 2005 17:15:51 +0900
Source: kernel-source-2.4.27
Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27
Architecture: source all
Version: 2.4.27-8
Distribution: unstable
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27
kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27
kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches
kernel-tree-2.4.27 - Linux kernel tree for building prepackaged Debian kernel images
Closes: 285521 285563 288046 288272 288279 288712 289202 289517 289682 290013 290039
Changes:
kernel-source-2.4.27 (2.4.27-8) unstable; urgency=high
.
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
to ensure that the permissions of the files in this package are
sensible. (closes: Bug#288279) (Simon Horman)
* Turn a make conditional into a runtime conditional to allow debian/rules
prune to work. (closes: #289682) (Joshua Kwan)
.
Patches applied:
.
* 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
[SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
(Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
* 122_sec_brk-locked.diff
[SECURITY] Fix vulnerability in the ELF loader code allowing
local attacker to execute code as root; CAN-2004-1235. This is better
known as the "uselib() bug". (closes: #289202) (Maximilian Attems)
* 123_nfs_verify_eacces.diff
Return -EACCES instead of -ESTALE to fix some NFS data loss bugs, already
fixed in 2.6 but not in 2.4. (closes: #288046) (Joshua Kwan)
* 124_random_poolsize_overflow.diff
[SECURITY] Fix integer overflow in random poolsize sysctl. (Simon Horman)
* 125_moxa_bound_checking.diff
[SECURITY] Fix bounds checking in moxa serial driver. (Simon Horman)
* 126_rlimit_memlock_dos.diff
[SECURITY] Fix RLIMIT_MEMLOCK local DoS (Simon Horman)
* 127_fs_coda_coverty.diff
[SECURITY] Untrusted user data in kernel. (Maxmilian Attems)
* 128_net_fose_coverty.diff
[SECURITY] Fix Coverity reported lack of bounds checking rose_rt_ioctl.
(Maximilian Attems)
* 129_net_sdla_coverty.diff
[SECURITY] Fix sdla_xfer lack of bounds checking, reported by Coverity.
(Maximilian Attems)
* 130_fs_xfs_coverty.diff
[SECURITY] Fix xfs_attrmulti_by_handle lack of bounds checking, reported
by Coverity. (Maximilian Attems)
* 131_expand_stack_race.diff
[SECURITY] Fix expand_stack race in mm.h; see CAN-2005-0001.
* 127_acpi_off.diff
Do not do acpi_early_init() if acpi=off is in effect.
(closes: #290039, #290013, #289517, #288712, #285521, #288272)
(Simon Horman)
* 133_strncpy_zero_pad.diff
[SECURITY] Make sure strncpy null terminates strings. (CAN-2003-0465)
Fix for s390x, ppc64 and s390. mips and alpha are still unfixed.
N.B. This bug appears to be minor at best
http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2
(See: #280492) (Simon Horman)
Files:
97a63b4b0cc25c21e5609fe7c2897caa 886 devel optional kernel-source-2.4.27_2.4.27-8.dsc
8deef7c6d5f1ebd677253e4a3d326c4a 783407 devel optional kernel-source-2.4.27_2.4.27-8.diff.gz
ab7999be4aeddae6e37ccaf2f397459f 581928 devel optional kernel-patch-debian-2.4.27_2.4.27-8_all.deb
2f63270d257f724340f0a4f410fcb373 3576122 doc optional kernel-doc-2.4.27_2.4.27-8_all.deb
0152552abefd29eb1c39d88e620fb8a8 31048618 devel optional kernel-source-2.4.27_2.4.27-8_all.deb
d6f3103bc5394fefccdcbe070aefcd36 21286 devel optional kernel-tree-2.4.27_2.4.27-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB724Rdu+M6Iexz7URAjijAJ4hi05/cAN+LPp98oTvzZhgsYkTqQCePK3u
ev8Lo7eV6856leEC/UAWtj4=
=NBFC
-----END PGP SIGNATURE-----
Reply to: