CVE 2010-3081 changes internal API

To: Dan Serban <dserban@lodgingcompany.com>
Cc: debian-user@lists.debian.org, debian-kernel@bugs.debian.org
Subject: CVE 2010-3081 changes internal API
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 22 Sep 2010 20:56:08 -0300
Message-id: <[🔎] 20100922235608.GA16462@khazad-dum.debian.net>
In-reply-to: <[🔎] 4C9A8017.80309@lodgingcompany.com>
References: <[🔎] 4C99C449.209@lodgingcompany.com> <[🔎] 20100922145428.GB5637@khazad-dum.debian.net> <[🔎] 4C9A8017.80309@lodgingcompany.com>

On Wed, 22 Sep 2010, Dan Serban wrote:
> On 09/22/10 07:54, Henrique de Moraes Holschuh wrote:
> >On Wed, 22 Sep 2010, Dan Serban wrote:
> >>[1012115.235704] ipmi_devintf: Unknown symbol compat_alloc_user_space
> >This module and the running kernel are not compatible with each other.
> 
> <snip>
> 
> So what you're telling me then, is that a bug needs to be filed
> against the stable kernel?  I can't see stable being stable when
> modules won't load due to a security update.  At least I'd assume
> that a broken kernel implementation needs to be fixed.

compat_alloc_user_space() is only used for syscalls AFAIK.  The rule is: you
do that, you have to track the kernel.  In fact, it is now GPL-only (so, for
example, fglrx needs to be modified as it is forbidden from using
compat_alloc_user_space()).

I'm adding a CC for the Debian kernel ML, just in case.

Summary:
  compat_alloc_user_space() is now EXPORT_SYMBOL_GPL
	* cannot be used by fglrx and other non-GPL modules
        * using arch_compat_alloc_user_space() may reopen CVE-2010-3081
          if the non-GPL module doesn't do access_ok by itself

  compat_alloc_user_space() moved from asm/compat.h to linux/compat.h
        * requires #include changes on out-of-tree modules that use
          compat_alloc_user_space() for them to build

> OT: I've found about 4 major bugs with the lenny implementation
> running in different server roles.  Mainly things that have been

File bugs.  Provide as much information as you can, the most useful being
the commits that you want backported, but if you don't know that, at least
full descriptions of the problem, how to reproduce, and what kernel version
you know fixed it would be helpful.

> While I do understand and agree with the "no need to fix it if it
> a'int broken" mentality, does that mean that lenny does not get
> patched/bugfixed... just security updates?

No.  It does get patched/bugfixed.  That's why we have "point releases", and
that's why it is at 5.0.6 (sixth point release) right now.  But you usually
have to prod maintainers to fix something on stable, unless it is a very big
issue or a security issue.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: CVE 2010-3081 changes internal API
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- OpenIPMI in Lenny is mysterious to me.
  - From: Dan Serban <dserban@lodgingcompany.com>
- Re: OpenIPMI in Lenny is mysterious to me.
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: [Was: OpenIPMI is mysterious] Bugs in Lenny
  - From: Dan Serban <dserban@lodgingcompany.com>

Prev by Date: Re: renamed network interface eth0 to eth1
Next by Date: Re: CVE 2010-3081 changes internal API
Previous by thread: Re: [Was: OpenIPMI is mysterious] Bugs in Lenny
Next by thread: Re: CVE 2010-3081 changes internal API
Index(es):
- Date
- Thread