Re: Preparing the first security update for kernel-source-2.6.8
On Wed, 2005-06-29 at 16:09 +0900, Horms wrote:
> On Wed, Jun 29, 2005 at 11:14:20AM +0900, Horms wrote:
> > On Tue, Jun 28, 2005 at 10:36:15PM +0200, Frederik Schueler wrote:
> > > Hello,
> > >
> > > I would like to start preparing a seurity update for kernel-source-2.6.8
> > > in sarge, wich released with version 2.6.8-16.
> > >
> > > In sarge-security we have an old 2.6.15sarge1 wich never got released.
> > >
> > > Does anyone object if I update those sources to the revision in sarge,
> > > and we start building 2.6.8-16sarge1 from it?
> > >
> > > I already got some patches from the ubuntu 2.6.8 kernel package addressing
> > > the following 5 issues:
> > >
> > > CAN-2005-0756
> > > CAN-2005-1265
> > > CAN-2005-1762
> > > CAN-2005-1763
> > > CAN-2005-1765
> > >
> > > and these 3 still need to be addressed:
> > >
> > > CAN-2005-1764
> > > CAN-2005-0449 #295949
> > > CAN-2005-0356 #310804
> > >
> > >
> > > if nobody objects, I would like to commit my changes.
>
> Dann, could you comment on the need for backporting the patch below
> form 2.6.12.1. It does not apply cleanly to 2.6.8 as there
> seem to have been a bunch of other patches in the mean time.
hey Horms,
This patch appears to be relevant for 2.6.8. It depends on two
earlier patches; one of which fixes what looks like another security
issue to me - kernel is accessing unchecked addresses provided by
userspace[1].
I've backported the fix for CAN-2005-1764 to our 2.6.8 with [1]
applied (attached). I'd recommend applying both of these patches to our
tree. Any objections?
[1] http://linux.bkbits.net:8080/linux-2.6/cset@41622201CGDoSbV0q05ufKpwRSomYQ?nav=index.html|src/|src/arch|src/arch/ia64|src/arch/ia64/kernel|related/arch/ia64/kernel/ptrace.c
diff -urN kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/ptrace.c kernel-source-2.6.8/arch/ia64/kernel/ptrace.c
--- kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/ptrace.c 2005-07-07 15:01:35.176735252 -0600
+++ kernel-source-2.6.8/arch/ia64/kernel/ptrace.c 2005-07-07 14:59:29.594705540 -0600
@@ -841,6 +841,13 @@
*data = (pt->cr_ipsr & IPSR_READ_MASK);
return 0;
+ case PT_AR_RSC:
+ if (write_access)
+ pt->ar_rsc = *data | (3 << 2); /* force PL3 */
+ else
+ *data = pt->ar_rsc;
+ return 0;
+
case PT_AR_RNAT:
urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
@@ -896,9 +903,6 @@
ptr = (unsigned long *)
((long) pt + offsetof(struct pt_regs, ar_bspstore));
break;
- case PT_AR_RSC:
- ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_rsc));
- break;
case PT_AR_UNAT:
ptr = (unsigned long *) ((long) pt + offsetof(struct pt_regs, ar_unat));
break;
@@ -1131,7 +1135,7 @@
static long
ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
{
- unsigned long psr, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
+ unsigned long psr, rsc, ec, lc, rnat, bsp, cfm, nat_bits, val = 0;
struct unw_frame_info info;
struct switch_stack *sw;
struct ia64_fpreg fpval;
@@ -1168,7 +1172,7 @@
/* app regs */
retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
- retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
+ retval |= __get_user(rsc, &ppr->ar[PT_AUR_RSC]);
retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
@@ -1261,6 +1265,7 @@
retval |= __get_user(nat_bits, &ppr->nat);
retval |= access_uarea(child, PT_CR_IPSR, &psr, 1);
+ retval |= access_uarea(child, PT_AR_RSC, &rsc, 1);
retval |= access_uarea(child, PT_AR_EC, &ec, 1);
retval |= access_uarea(child, PT_AR_LC, &lc, 1);
retval |= access_uarea(child, PT_AR_RNAT, &rnat, 1);
diff -urN kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/signal.c kernel-source-2.6.8/arch/ia64/kernel/signal.c
--- kernel-source-2.6.8+ia64-ptrace-check-user-mem.patch/arch/ia64/kernel/signal.c 2005-05-19 04:52:24.000000000 -0600
+++ kernel-source-2.6.8/arch/ia64/kernel/signal.c 2005-07-07 14:40:16.493157166 -0600
@@ -95,7 +95,7 @@
static long
restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
{
- unsigned long ip, flags, nat, um, cfm;
+ unsigned long ip, flags, nat, um, cfm, rsc;
long err;
/* Always make any pending restarted system calls return -EINTR */
@@ -107,7 +107,7 @@
err |= __get_user(ip, &sc->sc_ip); /* instruction pointer */
err |= __get_user(cfm, &sc->sc_cfm);
err |= __get_user(um, &sc->sc_um); /* user mask */
- err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
+ err |= __get_user(rsc, &sc->sc_ar_rsc);
err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
err |= __get_user(scr->pt.ar_pfs, &sc->sc_ar_pfs);
@@ -120,6 +120,7 @@
err |= __copy_from_user(&scr->pt.r15, &sc->sc_gr[15], 8); /* r15 */
scr->pt.cr_ifs = cfm | (1UL << 63);
+ scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
/* establish new instruction pointer: */
scr->pt.cr_iip = ip & ~0x3UL;
Reply to: