[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Preparing the first security update for kernel-source-2.6.8

On Wed, 2005-06-29 at 16:09 +0900, Horms wrote:
> On Wed, Jun 29, 2005 at 11:14:20AM +0900, Horms wrote:
> > On Tue, Jun 28, 2005 at 10:36:15PM +0200, Frederik Schueler wrote:
> > > Hello,
> > > 
> > > I would like to start preparing a seurity update for kernel-source-2.6.8
> > > in sarge, wich released with version 2.6.8-16. 
> > > 
> > > In sarge-security we have an old 2.6.15sarge1 wich never got released.
> > > 
> > > Does anyone object if I update those sources to the revision in sarge,
> > > and we start building 2.6.8-16sarge1 from it?
> > > 
> > > I already got some patches from the ubuntu 2.6.8 kernel package addressing 
> > > the following 5 issues:
> > > 
> > > CAN-2005-0756
> > > CAN-2005-1265
> > > CAN-2005-1762
> > > CAN-2005-1763
> > > CAN-2005-1765
> > > 
> > > and these 3 still need to be addressed:
> > > 
> > > CAN-2005-1764
> > > CAN-2005-0449 #295949
> > > CAN-2005-0356 #310804
> > > 
> > > 
> > > if nobody objects, I would like to commit my changes.
> 
> Dann, could you comment on the need for backporting the patch below
> form 2.6.12.1. It does not apply cleanly to 2.6.8 as there
> seem to have been a bunch of other patches in the mean time.

hey Horms,
  This patch appears to be relevant for 2.6.8.  It depends on two
earlier patches; one of which fixes what looks like another security
issue to me - kernel is accessing unchecked addresses provided by
userspace[1].

  I've backported the fix for CAN-2005-1764 to our 2.6.8 with [1]
applied (attached).  I'd recommend applying both of these patches to our
tree.  Any objections?

[1] http://linux.bkbits.net:8080/linux-2.6/cset@41622201CGDoSbV0q05ufKpwRSomYQ?nav=index.html|src/|src/arch|src/arch/ia64|src/arch/ia64/kernel|related/arch/ia64/kernel/ptrace.c


diff -urN kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/ptrace.c kernel-source-2.6.8/arch/ia64/kernel/ptrace.c
--- kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/ptrace.c	2005-07-07 15:01:35.176735252 -0600
+++ kernel-source-2.6.8/arch/ia64/kernel/ptrace.c	2005-07-07 14:59:29.594705540 -0600
@@ -841,6 +841,13 @@
 				*data = (pt->cr_ipsr & IPSR_READ_MASK);
 			return 0;
 
+		      case PT_AR_RSC:
+			if (write_access)
+				pt->ar_rsc = *data | (3 << 2); /* force PL3 */
+			else
+				*data = pt->ar_rsc;
+			return 0;
+
 		      case PT_AR_RNAT:
 			urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
 			rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
@@ -896,9 +903,6 @@
 			ptr = (unsigned long *)
 				((long) pt + offsetof(struct pt_regs, ar_bspstore));
 			break;
-		      case PT_AR_RSC:
-			ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_rsc));
-			break;
 		      case PT_AR_UNAT:
 			ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_unat));
 			break;
@@ -1131,7 +1135,7 @@
 static long
 ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
 {
-	unsigned long psr, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
+	unsigned long psr, rsc, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
 	struct unw_frame_info info;
 	struct switch_stack *sw;
 	struct ia64_fpreg fpval;
@@ -1168,7 +1172,7 @@
 	/* app regs */
 
 	retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
-	retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
+	retval |= __get_user(rsc, &ppr->ar[PT_AUR_RSC]);
 	retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
 	retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
 	retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
@@ -1261,6 +1265,7 @@
 	retval |= __get_user(nat_bits, &ppr->nat);
 
 	retval |= access_uarea(child, PT_CR_IPSR, &psr, 1);
+	retval |= access_uarea(child, PT_AR_RSC, &rsc, 1);
 	retval |= access_uarea(child, PT_AR_EC, &ec, 1);
 	retval |= access_uarea(child, PT_AR_LC, &lc, 1);
 	retval |= access_uarea(child, PT_AR_RNAT, &rnat, 1);
diff -urN kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/signal.c kernel-source-2.6.8/arch/ia64/kernel/signal.c
--- kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/signal.c	2005-05-19 04:52:24.000000000 -0600
+++ kernel-source-2.6.8/arch/ia64/kernel/signal.c	2005-07-07 14:40:16.493157166 -0600
@@ -95,7 +95,7 @@
 static long
 restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
 {
-	unsigned long ip, flags, nat, um, cfm;
+	unsigned long ip, flags, nat, um, cfm, rsc;
 	long err;
 
 	/* Always make any pending restarted system calls return -EINTR */
@@ -107,7 +107,7 @@
 	err |= __get_user(ip, &sc->sc_ip);			/* instruction pointer */
 	err |= __get_user(cfm, &sc->sc_cfm);
 	err |= __get_user(um, &sc->sc_um);			/* user mask */
-	err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
+	err |= __get_user(rsc, &sc->sc_ar_rsc);
 	err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
 	err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
 	err |= __get_user(scr->pt.ar_pfs, &sc->sc_ar_pfs);
@@ -120,6 +120,7 @@
 	err |= __copy_from_user(&scr->pt.r15, &sc->sc_gr[15], 8);	/* r15 */
 
 	scr->pt.cr_ifs = cfm | (1UL << 63);
+	scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
 
 	/* establish new instruction pointer: */
 	scr->pt.cr_iip = ip & ~0x3UL;
Reply to: