Version in base suite: 2.6.8-17 Version in overlay suite: 2.6.8-17sarge1 Base version: kernel-source-2.6.8_2.6.8-17 Target version: kernel-source-2.6.8_2.6.8-17sarge1 Base file: /org/ftp.debian.org/ftp/pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-17.dsc Target file: /org/ftp.debian.org/ftp/pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-17sarge1.dsc diff -u kernel-source-2.6.8-2.6.8/debian/changelog kernel-source-2.6.8-2.6.8/debian/changelog --- kernel-source-2.6.8-2.6.8/debian/changelog +++ kernel-source-2.6.8-2.6.8/debian/changelog @@ -1,3 +1,81 @@ +kernel-source-2.6.8 (2.6.8-17sarge1) oldstable-security; urgency=high + + * compat_sys_mount-NULL-data_page.dpatch + [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page + See CVE-2006-7203 + * pppoe-socket-release-mem-leak.dpatch + [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released + after connect but before PPPIOCGCHAN ioctl is called upon it + See CVE-2007-2525 + * dn_fib-out-of-bounds.dpatch, ipv4-fib_props-out-of-bounds.dpatch + [SECURITY] Fix out of bounds condition in dn_fib_props[] + See CVE-2007-2172 + * aacraid-ioctl-perm-check.dpatch + [SECURITY] Require admin capabilities to issue ioctls to aacraid devices + See CVE-2007-4308 + * reset-pdeathsig-on-suid.dpatch + [SECURITY] Fix potential privilege escalation caused by improper + clearing of the child process' pdeath signal. + See CVE-2007-3848 + * bluetooth-l2cap-hci-info-leaks.dpatch + [SECURITY] Fix information leaks in setsockopt() implementations + See CVE-2007-1353 + * coredump-only-to-same-uid.dpatch + [SECURITY] Fix an issue where core dumping over a file that + already exists retains the ownership of the original file + See CVE-2007-6206 + * i4l-isdn_ioctl-mem-overrun.dpatch + [SECURITY] Fix potential isdn ioctl memory overrun + See CVE-2007-6151 + * cramfs-check-block-length.dpatch + [SECURITY] Add a sanity check of the block length in cramfs_readpage to + avoid a potential oops condition + See CVE-2006-5823 + * ext2-skip-pages-past-num-blocks.dpatch + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 + * minixfs-printk-hang.dpatch + [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs + filesystem that would otherwise cause a system to hang (printk storm) + See CVE-2006-6058 + * isdn-net-overflow.dpatch + [SECURITY] Fix potential overflows in the ISDN subsystem + See CVE-2007-6063 + * prevent-stack-growth-into-hugetlb-region.dpatch + [SECURITY] Prevent OOPS during stack expansion when the VMA crosses + into address space reserved for hugetlb pages. + See CVE-2007-3739 + * cifs-honor-umask.dpatch + [SECURITY] Make CIFS honor a process' umask + See CVE-2007-3740 + * hugetlb-prio_tree-unit-fix.dpatch + [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree + which could be used to trigger a BUG_ON() call in exit_mmap. + See CVE-2007-4133 + * amd64-zero-extend-32bit-ptrace.dpatch + [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. + See CVE-2007-4573 + * usb-pwc-disconnect-block.dpatch + [SECURITY] Fix issue with unplugging webcams that use the pwc driver. + If userspace still has the device open it can result, the driver would + wait for the device to close, blocking the USB subsystem. + See CVE-2007-5093 + * powerpc-chrp-null-deref.dpatch + [SECURITY][powerpc] Fix NULL pointer dereference if get_property + fails on the subarchitecture + See CVE-2007-6694 + * random-bound-check-ordering.dpatch + [SECURITY] Fix stack-based buffer overflow in the random number + generator + See CVE-2007-3105 + * mmap-VM_DONTEXPAND.dpatch + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 + + -- dann frazier Tue, 19 Feb 2008 00:49:53 -0700 + kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high [ Simon Horman ] only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/pppoe-socket-release-mem-leak.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/pppoe-socket-release-mem-leak.dpatch @@ -0,0 +1,42 @@ +From: Florian Zumbiehl +Date: Fri, 20 Apr 2007 23:58:14 +0000 (-0700) +Subject: [PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called ... +X-Git-Tag: v2.6.22-rc1~1128^2~92 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=202a03acf9994076055df40ae093a5c5474ad0bd + +[PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called on it + +below you find a patch that fixes a memory leak when a PPPoE socket is +release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl +ever has been called on it. + +This is somewhat of a security problem, too, since PPPoE sockets can be +created by any user, so any user can easily allocate all the machine's +RAM to non-swappable address space and thus DoS the system. + +Is there any specific reason for PPPoE sockets being available to any +unprivileged process, BTW? After all, you need a packet socket for the +discovery stage anyway, so it's unlikely that any unprivileged process +will ever need to create a PPPoE socket, no? Allocating all session IDs +for a known AC is a kind of DoS, too, after all - with Juniper ERXes, +this is really easy, actually, since they don't ever assign session ids +above 8000 ... + +Signed-off-by: Florian Zumbiehl +Acked-by: Michal Ostrowski +Signed-off-by: David S. Miller +--- + +diff --git a/drivers/net/pppox.c b/drivers/net/pppox.c +index 9315046..3f8115d 100644 +--- a/drivers/net/pppox.c ++++ b/drivers/net/pppox.c +@@ -58,7 +58,7 @@ void pppox_unbind_sock(struct sock *sk) + { + /* Clear connection to ppp device, if attached. */ + +- if (sk->sk_state & (PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (sk->sk_state & (PPPOX_BOUND | PPPOX_CONNECTED | PPPOX_ZOMBIE)) { + ppp_unregister_channel(&pppox_sk(sk)->chan); + sk->sk_state = PPPOX_DEAD; + } only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch @@ -0,0 +1,62 @@ +From: Marcel Holtmann +Date: Fri, 4 May 2007 22:35:59 +0000 (+0200) +Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks +X-Git-Tag: v2.6.22-rc1~822^2~2^2~6 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0878b6667f28772aa7d6b735abff53efc7bf6d91 + +[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks + +The L2CAP and HCI setsockopt() implementations have a small information +leak that makes it possible to leak kernel stack memory to userspace. + +If the optlen parameter is 0, no data will be copied by copy_from_user(), +but the uninitialized stack buffer will be read and stored later. A call +to getsockopt() can now retrieve the leaked information. + +To fix this problem the stack buffer given to copy_from_user() must be +initialized with the current settings. + +Signed-off-by: Marcel Holtmann +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c kernel-source-2.6.8/net/bluetooth/hci_sock.c +--- kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c 2004-08-13 23:37:14.000000000 -0600 ++++ kernel-source-2.6.8/net/bluetooth/hci_sock.c 2007-09-11 00:01:19.143775861 -0600 +@@ -471,6 +471,15 @@ int hci_sock_setsockopt(struct socket *s + break; + + case HCI_FILTER: ++ { ++ struct hci_filter *f = &hci_pi(sk)->filter; ++ ++ uf.type_mask = f->type_mask; ++ uf.opcode = f->opcode; ++ uf.event_mask[0] = *((u32 *) f->event_mask + 0); ++ uf.event_mask[1] = *((u32 *) f->event_mask + 1); ++ } ++ + len = min_t(unsigned int, len, sizeof(uf)); + if (copy_from_user(&uf, optval, len)) { + err = -EFAULT; +diff -urpN kernel-source-2.6.8.orig/net/bluetooth/l2cap.c kernel-source-2.6.8/net/bluetooth/l2cap.c +--- kernel-source-2.6.8.orig/net/bluetooth/l2cap.c 2004-08-13 23:37:26.000000000 -0600 ++++ kernel-source-2.6.8/net/bluetooth/l2cap.c 2007-09-11 00:21:15.495780084 -0600 +@@ -759,11 +759,16 @@ static int l2cap_sock_setsockopt(struct + + switch (optname) { + case L2CAP_OPTIONS: ++ opts.imtu = l2cap_pi(sk)->imtu; ++ opts.omtu = l2cap_pi(sk)->omtu; ++ opts.flush_to = l2cap_pi(sk)->flush_to; ++ + len = min_t(unsigned int, sizeof(opts), optlen); + if (copy_from_user((char *)&opts, optval, len)) { + err = -EFAULT; + break; + } ++ + l2cap_pi(sk)->imtu = opts.imtu; + l2cap_pi(sk)->omtu = opts.omtu; + break; only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/coredump-only-to-same-uid.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/coredump-only-to-same-uid.dpatch @@ -0,0 +1,38 @@ +From: Ingo Molnar +Date: Wed, 28 Nov 2007 12:59:18 +0000 (+0100) +Subject: vfs: coredumping fix +X-Git-Tag: v2.6.24-rc4~82 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af + +vfs: coredumping fix + +fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 + +only allow coredumping to the same uid that the coredumping +task runs under. + +Signed-off-by: Ingo Molnar +Acked-by: Alan Cox +Acked-by: Christoph Hellwig +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +--- + +Adjusted to apply to Debian's 2.6.18 by dann frazier + +diff -urpN linux-source-2.6.18.orig/fs/exec.c linux-source-2.6.18/fs/exec.c +--- linux-source-2.6.18.orig/fs/exec.c 2007-10-03 12:38:15.000000000 -0600 ++++ linux-source-2.6.18/fs/exec.c 2007-12-05 23:41:00.000000000 -0700 +@@ -1524,6 +1524,12 @@ int do_coredump(long signr, int exit_cod + + if (!S_ISREG(inode->i_mode)) + goto close_fail; ++ /* ++ * Dont allow local users get cute and trick others to coredump ++ * into their pre-created files: ++ */ ++ if (inode->i_uid != current->fsuid) ++ goto close_fail; + if (!file->f_op) + goto close_fail; + if (!file->f_op->write) only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/aacraid-ioctl-perm-check.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/aacraid-ioctl-perm-check.dpatch @@ -0,0 +1,31 @@ +From: Alan Cox +Date: Mon, 23 Jul 2007 13:51:05 +0000 (+0100) +Subject: [SCSI] aacraid: Fix security hole +X-Git-Tag: v2.6.23-rc2~164^2~24 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f + +[SCSI] aacraid: Fix security hole + +On the SCSI layer ioctl path there is no implicit permissions check for +ioctls (and indeed other drivers implement unprivileged ioctls). aacraid +however allows all sorts of very admin only things to be done so should +check. + +Signed-off-by: Alan Cox +Acked-by: "Salyzyn, Mark" +Signed-off-by: James Bottomley +--- + +Backported to Debian's 2.6.8 by dann frazier + +--- kernel-source-2.6.8/drivers/scsi/aacraid/linit.c.orig 2004-08-13 23:36:56.000000000 -0600 ++++ kernel-source-2.6.8/drivers/scsi/aacraid/linit.c 2007-08-27 23:43:48.695216732 -0600 +@@ -462,6 +462,8 @@ static int aac_cfg_open(struct inode *in + static int aac_cfg_ioctl(struct inode *inode, struct file *file, + unsigned int cmd, unsigned long arg) + { ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_do_ioctl(file->private_data, cmd, (void __user *)arg); + } + only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/ipv4-fib_props-out-of-bounds.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/ipv4-fib_props-out-of-bounds.dpatch @@ -0,0 +1,42 @@ +From: Thomas Graf +Date: Sun, 25 Mar 2007 03:32:54 +0000 (-0700) +Subject: [IPv4] fib: Fix out of bound access of fib_props[] +X-Git-Tag: v2.6.21~241^2~12 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e + +[IPv4] fib: Fix out of bound access of fib_props[] + +Fixes a typo which caused fib_props[] to have the wrong size +and makes sure the value used to index the array which is +provided by userspace via netlink is checked to avoid out of +bound access. + +Signed-off-by: Thomas Graf +Signed-off-by: David S. Miller +--- + +Backported to Debian's 2.6.18 by dann frazier , heavily +based upon Tim Gardner's backport for Ubuntu: + http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=6e87288e83ac08e7154980795622efdafd49c9c8 + +--- linux-source-2.6.18.orig/net/ipv4/fib_semantics.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/ipv4/fib_semantics.c 2007-08-27 22:15:04.678316443 -0600 +@@ -88,7 +88,7 @@ static const struct + { + int error; + u8 scope; +-} fib_props[RTA_MAX + 1] = { ++} fib_props[RTN_MAX + 1] = { + { + .error = 0, + .scope = RT_SCOPE_NOWHERE, +@@ -662,6 +662,9 @@ fib_create_info(const struct rtmsg *r, s + u32 mp_alg = IP_MP_ALG_NONE; + #endif + ++ if (r->rtm_type > RTN_MAX) ++ goto err_inval; ++ + /* Fast check to catch the most weird cases */ + if (fib_props[r->rtm_type].scope > r->rtm_scope) + goto err_inval; only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/cramfs-check-block-length.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch @@ -0,0 +1,39 @@ +From: Phillip Lougher +Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800) +Subject: [PATCH] corrupted cramfs filesystems cause kernel oops +X-Git-Tag: v2.6.20-rc1~15^2~14^2~175 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e + +[PATCH] corrupted cramfs filesystems cause kernel oops + +Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ +fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause +Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops +is an unchecked corrupted block length field read by cramfs_readpage(). + +This patch adds a sanity check to cramfs_readpage() which checks that the +block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is +intentional, even though the uncompressed data is not going to be larger +than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than +the original source data. Mkcramfs checks that the compressed size is +always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could +use the original uncompressed data in this case, but it doesn't. + +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index a624c3e..0509ced 100644 +--- a/fs/cramfs/inode.c ++++ b/fs/cramfs/inode.c +@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page) + pgdata = kmap(page); + if (compr_len == 0) + ; /* hole */ ++ else if (compr_len > (PAGE_CACHE_SIZE << 1)) ++ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); + else { + mutex_lock(&read_mutex); + bytes_filled = cramfs_uncompress_block(pgdata, only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/random-bound-check-ordering.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch @@ -0,0 +1,42 @@ +From: Matt Mackall +Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700) +Subject: random: fix bound check ordering (CVE-2007-3105) +X-Git-Tag: v2.6.23-rc1~259 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd + +random: fix bound check ordering (CVE-2007-3105) + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team ) + +Cc: Theodore Tso +Cc: Willy Tarreau +Signed-off-by: Matt Mackall +Signed-off-by: Chris Wright +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c +--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.000000000 -0600 ++++ kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.000000000 -0700 +@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s + { + if (r->entropy_count < nbytes * 8 && + r->entropy_count < r->poolinfo.POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, TMP_BUF_SIZE)); ++ /* If we're limited, always leave two wakeup worth's BITS */ ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, TMP_BUF_SIZE); + + DEBUG_ENT("%04d %04d : going to reseed %s with %d bits " + "(%d of %d requested)\n", only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch @@ -0,0 +1,88 @@ +From: Andi Kleen +Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200) +Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path. +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567 + +x86_64: Zero extend all registers after ptrace in 32bit entry path. + +Strictly it's only needed for eax. + +It actually does a little more than strictly needed -- the other registers +are already zero extended. + +Also remove the now unnecessary and non functional compat task check +in ptrace. + +This is CVE-2007-4573 + +Found by Wojciech Purczynski + +Signed-off-by: Andi Kleen +Signed-off-by: Linus Torvalds +--- + +Adjusted to apply to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S +--- kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S 2007-05-26 02:54:38.000000000 -0600 ++++ kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S 2008-02-13 19:50:46.000000000 -0700 +@@ -35,6 +35,18 @@ + movq %rax,R8(%rsp) + .endm + ++ .macro LOAD_ARGS32 offset ++ movl \offset(%rsp),%r11d ++ movl \offset+8(%rsp),%r10d ++ movl \offset+16(%rsp),%r9d ++ movl \offset+24(%rsp),%r8d ++ movl \offset+40(%rsp),%ecx ++ movl \offset+48(%rsp),%edx ++ movl \offset+56(%rsp),%esi ++ movl \offset+64(%rsp),%edi ++ movl \offset+72(%rsp),%eax ++ .endm ++ + /* + * 32bit SYSENTER instruction entry. + * +@@ -107,7 +119,7 @@ sysenter_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl %ebp, %ebp + /* no need to do an access_ok check here because rbp has been +@@ -188,7 +200,7 @@ cstar_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl RSP-ARGOFFSET(%rsp), %r8d + /* no need to do an access_ok check here because r8 has been +@@ -252,7 +264,7 @@ ia32_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + jmp ia32_do_syscall + +diff -urpN kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c +--- kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c 2007-05-26 02:54:39.000000000 -0600 ++++ kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c 2008-02-13 19:42:49.000000000 -0700 +@@ -97,10 +97,6 @@ static int putreg(struct task_struct *ch + { + unsigned long tmp; + +- /* Some code in the 64bit emulation may not be 64bit clean. +- Don't take any chances. */ +- if (test_tsk_thread_flag(child, TIF_IA32)) +- value &= 0xffffffff; + switch (regno) { + case offsetof(struct user_regs_struct,fs): + if (value && (value & 3) != 3) only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/dn_fib-out-of-bounds.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/dn_fib-out-of-bounds.dpatch @@ -0,0 +1,37 @@ +commit a979101106f549f4ed80d6dcbc35077be34d4346 +Author: Thomas Graf +Date: Sat Mar 24 20:33:27 2007 -0700 + + [DECNet] fib: Fix out of bound access of dn_fib_props[] + + Fixes a typo which caused fib_props[] to have the wrong size + and makes sure the value used to index the array which is + provided by userspace via netlink is checked to avoid out of + bound access. + + Signed-off-by: Thomas Graf + Signed-off-by: David S. Miller + +diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c +index 3cbfddc..82d58a9 100644 +--- a/net/decnet/dn_fib.c ++++ b/net/decnet/dn_fib.c +@@ -63,7 +63,7 @@ static struct + { + int error; + u8 scope; +-} dn_fib_props[RTA_MAX+1] = { ++} dn_fib_props[RTN_MAX+1] = { + [RTN_UNSPEC] = { .error = 0, .scope = RT_SCOPE_NOWHERE }, + [RTN_UNICAST] = { .error = 0, .scope = RT_SCOPE_UNIVERSE }, + [RTN_LOCAL] = { .error = 0, .scope = RT_SCOPE_HOST }, +@@ -276,6 +276,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta + struct dn_fib_info *ofi; + int nhs = 1; + ++ if (r->rtm_type > RTN_MAX) ++ goto err_inval; ++ + if (dn_fib_props[r->rtm_type].scope > r->rtm_scope) + goto err_inval; + only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/mmap-VM_DONTEXPAND.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch @@ -0,0 +1,99 @@ +From: Nick Piggin +Date: Sat, 2 Feb 2008 02:08:53 +0000 (+0100) +Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) +X-Git-Tag: v2.6.22.17~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e + +vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) + +Drivers that register a ->fault handler, but do not range-check the +offset argument, must set VM_DONTEXPAND in the vm_flags in order to +prevent an expanding mremap from overflowing the resource. + +I've audited the tree and attempted to fix these problems (usually by +adding VM_DONTEXPAND where it is not obvious). + +Signed-off-by: Nick Piggin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- +commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf +Author: Willy Tarreau +Date: Sun Feb 3 18:32:33 2008 +0100 + + security: insufficient range checks in certain fault handlers + + This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers. + This deals with security vulnerability CVE-2008-0007. + + Drivers that register a ->nopage handler, that does not range-check its + offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the + offset is within bounds. + + Signed-off-by: Willy Tarreau + +Ported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/drivers/char/drm/drm_vm.h kernel-source-2.6.8/drivers/char/drm/drm_vm.h +--- kernel-source-2.6.8.orig/drivers/char/drm/drm_vm.h 2004-08-13 23:38:10.000000000 -0600 ++++ kernel-source-2.6.8/drivers/char/drm/drm_vm.h 2008-02-19 00:14:33.000000000 -0700 +@@ -481,6 +481,7 @@ int DRM(mmap_dma)(struct file *filp, str + vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ + #else + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + #endif + + vma->vm_file = filp; /* Needed for drm_vm_open() */ +@@ -655,6 +656,7 @@ int DRM(mmap)(struct file *filp, struct + vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ + #else + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + #endif + + vma->vm_file = filp; /* Needed for drm_vm_open() */ +diff -urpN kernel-source-2.6.8.orig/fs/ncpfs/mmap.c kernel-source-2.6.8/fs/ncpfs/mmap.c +--- kernel-source-2.6.8.orig/fs/ncpfs/mmap.c 2004-08-13 23:37:26.000000000 -0600 ++++ kernel-source-2.6.8/fs/ncpfs/mmap.c 2008-02-19 00:11:29.000000000 -0700 +@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage + pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT); + + count = PAGE_SIZE; +- if (address + PAGE_SIZE > area->vm_end) { +- count = area->vm_end - address; +- } + /* what we can read in one go */ + bufsize = NCP_SERVER(inode)->buffer_size; + +diff -urpN kernel-source-2.6.8.orig/sound/oss/via82cxxx_audio.c kernel-source-2.6.8/sound/oss/via82cxxx_audio.c +--- kernel-source-2.6.8.orig/sound/oss/via82cxxx_audio.c 2004-08-13 23:36:44.000000000 -0600 ++++ kernel-source-2.6.8/sound/oss/via82cxxx_audio.c 2008-02-19 00:11:29.000000000 -0700 +@@ -2119,6 +2119,7 @@ static struct page * via_mm_nopage (stru + { + struct via_info *card = vma->vm_private_data; + struct via_channel *chan = &card->ch_out; ++ unsigned long max_bufs; + struct page *dmapage; + unsigned long pgoff; + int rd, wr; +@@ -2142,14 +2143,11 @@ static struct page * via_mm_nopage (stru + rd = card->ch_in.is_mapped; + wr = card->ch_out.is_mapped; + +-#ifndef VIA_NDEBUG +- { +- unsigned long max_bufs = chan->frag_number; +- if (rd && wr) max_bufs *= 2; +- /* via_dsp_mmap() should ensure this */ +- assert (pgoff < max_bufs); +- } +-#endif ++ max_bufs = chan->frag_number; ++ if (rd && wr) ++ max_bufs *= 2; ++ if (pgoff >= max_bufs) ++ return NOPAGE_SIGBUS; + + /* if full-duplex (read+write) and we have two sets of bufs, + * then the playback buffers come first, sez soundcard.c */ only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/series/2.6.8-17sarge1 +++ kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 @@ -0,0 +1,21 @@ ++ compat_sys_mount-NULL-data_page.dpatch ++ pppoe-socket-release-mem-leak.dpatch ++ dn_fib-out-of-bounds.dpatch ++ ipv4-fib_props-out-of-bounds.dpatch ++ aacraid-ioctl-perm-check.dpatch ++ reset-pdeathsig-on-suid.dpatch ++ bluetooth-l2cap-hci-info-leaks.dpatch ++ coredump-only-to-same-uid.dpatch ++ i4l-isdn_ioctl-mem-overrun.dpatch ++ cramfs-check-block-length.dpatch ++ ext2-skip-pages-past-num-blocks.dpatch ++ minixfs-printk-hang.dpatch ++ isdn-net-overflow.dpatch ++ prevent-stack-growth-into-hugetlb-region.dpatch ++ cifs-honor-umask.dpatch ++ hugetlb-prio_tree-unit-fix.dpatch ++ amd64-zero-extend-32bit-ptrace.dpatch ++ usb-pwc-disconnect-block.dpatch ++ powerpc-chrp-null-deref.dpatch ++ random-bound-check-ordering.dpatch ++ mmap-VM_DONTEXPAND.dpatch only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch @@ -0,0 +1,48 @@ +From: Adam Litke +Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800) +Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions +X-Git-Tag: v2.6.20-rc7~10 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6 + +[PATCH] Don't allow the stack to grow into hugetlb reserved regions + +When expanding the stack, we don't currently check if the VMA will cross +into an area of the address space that is reserved for hugetlb pages. +Subsequent faults on the expanded portion of such a VMA will confuse the +low-level MMU code, resulting in an OOPS. Check for this. + +Signed-off-by: Adam Litke +Cc: David Gibson +Cc: William Lee Irwin III +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/mm/mmap.c kernel-source-2.6.8/mm/mmap.c +--- kernel-source-2.6.8.orig/mm/mmap.c 2007-05-26 02:54:40.000000000 -0600 ++++ kernel-source-2.6.8/mm/mmap.c 2008-02-13 13:57:29.000000000 -0700 +@@ -1203,6 +1203,7 @@ static int acct_stack_growth(struct vm_a + { + struct mm_struct *mm = vma->vm_mm; + struct rlimit *rlim = current->rlim; ++ unsigned long new_start; + + /* address space limit tests */ + if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT) +@@ -1212,6 +1213,12 @@ static int acct_stack_growth(struct vm_a + if (size > rlim[RLIMIT_STACK].rlim_cur) + return -ENOMEM; + ++ /* Check to ensure the stack will not grow into a hugetlb-only region */ ++ new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start : ++ vma->vm_end - size; ++ if (is_hugepage_only_range(vma->vm_mm, new_start, size)) ++ return -EFAULT; ++ + /* + * Overcommit.. This must be the final test, as it will + * update security statistics. only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/powerpc-chrp-null-deref.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/powerpc-chrp-null-deref.dpatch @@ -0,0 +1,49 @@ +commit 9ac71d00398674aaec664f30559f0a21d963862f +Author: Cyrill Gorcunov +Date: Fri Nov 23 16:43:04 2007 +1100 + + [POWERPC] CHRP: Fix possible NULL pointer dereference + + This fixes a possible NULL pointer dereference inside of strncmp() if + of_get_property() fails. + + Signed-off-by: Cyrill Gorcunov + Signed-off-by: Paul Mackerras + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/arch/ppc/platforms/chrp_setup.c kernel-source-2.6.8/arch/ppc/platforms/chrp_setup.c +--- kernel-source-2.6.8.orig/arch/ppc/platforms/chrp_setup.c 2007-05-26 02:54:38.000000000 -0600 ++++ kernel-source-2.6.8/arch/ppc/platforms/chrp_setup.c 2008-02-13 20:40:08.000000000 -0700 +@@ -117,7 +117,7 @@ chrp_show_cpuinfo(struct seq_file *m) + seq_printf(m, "machine\t\t: CHRP %s\n", model); + + /* longtrail (goldengate) stuff */ +- if (!strncmp(model, "IBM,LongTrail", 13)) { ++ if (model && !strncmp(model, "IBM,LongTrail", 13)) { + /* VLSI VAS96011/12 `Golden Gate 2' */ + /* Memory banks */ + sdramen = (in_le32((unsigned *)(gg2_pci_config_base+ +@@ -206,14 +206,20 @@ static void __init sio_fixup_irq(const c + static void __init sio_init(void) + { + struct device_node *root; ++ const char *model; + +- if ((root = find_path_device("/")) && +- !strncmp(get_property(root, "model", NULL), "IBM,LongTrail", 13)) { ++ root = find_path_device("/"); ++ if (!root) ++ return; ++ ++ model = get_property(root, "model", NULL); ++ if (model && !strncmp(model, "IBM,LongTrail", 13)) { + /* logical device 0 (KBC/Keyboard) */ + sio_fixup_irq("keyboard", 0, 1, 2); + /* select logical device 1 (KBC/Mouse) */ + sio_fixup_irq("mouse", 1, 12, 2); + } ++ + } + + void pegasos_set_l2cr(void) only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/usb-pwc-disconnect-block.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch @@ -0,0 +1,121 @@ +From: Oliver Neukum +Date: Tue, 21 Aug 2007 05:10:42 +0000 (+0200) +Subject: USB: fix DoS in pwc USB video driver +X-Git-Tag: v2.6.23-rc4~29^2~8 +X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d + +USB: fix DoS in pwc USB video driver + +the pwc driver has a disconnect method that waits for user space to +close the device. This opens up an opportunity for a DoS attack, +blocking the USB subsystem and making khubd's task busy wait in +kernel space. This patch shifts freeing resources to close if an opened +device is disconnected. + +Signed-off-by: Oliver Neukum +CC: stable +Signed-off-by: Greg Kroah-Hartman +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc.h kernel-source-2.6.8/drivers/usb/media/pwc.h +--- kernel-source-2.6.8.orig/drivers/usb/media/pwc.h 2004-08-13 23:37:15.000000000 -0600 ++++ kernel-source-2.6.8/drivers/usb/media/pwc.h 2008-02-13 20:05:47.000000000 -0700 +@@ -144,6 +144,7 @@ struct pwc_device + char vsnapshot; /* snapshot mode */ + char vsync; /* used by isoc handler */ + char vmirror; /* for ToUCaM series */ ++ char unplugged; + + int cmd_len; + unsigned char cmd_buf[13]; +diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c kernel-source-2.6.8/drivers/usb/media/pwc-if.c +--- kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c 2004-08-13 23:37:38.000000000 -0600 ++++ kernel-source-2.6.8/drivers/usb/media/pwc-if.c 2008-02-13 20:14:17.000000000 -0700 +@@ -1084,12 +1084,18 @@ static int pwc_video_open(struct inode * + return 0; + } + ++ ++static void pwc_cleanup(struct pwc_device *pdev) ++{ ++ video_unregister_device(pdev->vdev); ++} ++ + /* Note that all cleanup is done in the reverse order as in _open */ + static int pwc_video_close(struct inode *inode, struct file *file) + { + struct video_device *vdev = file->private_data; + struct pwc_device *pdev; +- int i; ++ int i, hint; + + Trace(TRACE_OPEN, ">> video_close called(vdev = 0x%p).\n", vdev); + +@@ -1113,8 +1119,9 @@ static int pwc_video_close(struct inode + pwc_isoc_cleanup(pdev); + pwc_free_buffers(pdev); + ++ lock_kernel(); + /* Turn off LEDS and power down camera, but only when not unplugged */ +- if (pdev->error_status != EPIPE) { ++ if (!pdev->unplugged) { + /* Turn LEDs off */ + if (pwc_set_leds(pdev, 0, 0) < 0) + Info("Failed to set LED on/off time.\n"); +@@ -1123,9 +1130,18 @@ static int pwc_video_close(struct inode + if (i < 0) + Err("Failed to power down camera (%d)\n", i); + } ++ pdev->vopen = 0; ++ Trace(TRACE_OPEN, "<< video_close()\n"); ++ } else { ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; + } +- pdev->vopen = 0; +- Trace(TRACE_OPEN, "<< video_close()\n"); ++ unlock_kernel(); + return 0; + } + +@@ -1972,20 +1988,21 @@ static void usb_pwc_disconnect(struct us + /* Alert waiting processes */ + wake_up_interruptible(&pdev->frameq); + /* Wait until device is closed */ +- while (pdev->vopen) +- schedule(); +- /* Device is now closed, so we can safely unregister it */ +- Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n"); +- video_unregister_device(pdev->vdev); +- +- /* Free memory (don't set pdev to 0 just yet) */ +- kfree(pdev); ++ if(pdev->vopen) { ++ pdev->unplugged = 1; ++ } else { ++ /* Device is closed, so we can safely unregister it */ ++ Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n"); ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); + + disconnect_out: +- /* search device_hint[] table if we occupy a slot, by any chance */ +- for (hint = 0; hint < MAX_DEV_HINTS; hint++) +- if (device_hint[hint].pdev == pdev) +- device_hint[hint].pdev = NULL; ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint < MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; ++ } + + unlock_kernel(); + } only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/cifs-honor-umask.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch @@ -0,0 +1,81 @@ +From: Steve French +Date: Fri, 8 Jun 2007 14:55:14 +0000 (+0000) +Subject: [CIFS] CIFS should honour umask +X-Git-Tag: v2.6.22-rc5~50^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f + +[CIFS] CIFS should honour umask + +This patch makes CIFS honour a process' umask like other filesystems. +Of course the server is still free to munge the permissions if it wants +to; but the client will send the "right" permissions to begin with. + +A few caveats: + +1) It only applies to filesystems that have CAP_UNIX (aka support unix +extensions) +2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms() +after remote creation + +When mode to CIFS/NTFS ACL mapping is complete we can do the +same thing for that case for servers which do not +support the Unix Extensions. + +Signed-off-by: Matt Keenen +Signed-off-by: Steve French +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/fs/cifs/dir.c kernel-source-2.6.8/fs/cifs/dir.c +--- kernel-source-2.6.8.orig/fs/cifs/dir.c 2007-05-26 02:54:39.000000000 -0600 ++++ kernel-source-2.6.8/fs/cifs/dir.c 2008-02-13 14:05:50.000000000 -0700 +@@ -242,7 +242,8 @@ cifs_create(struct inode *inode, struct + /* If Open reported that we actually created a file + then we now have to set the mode if possible */ + if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) && +- (oplock & CIFS_CREATE_ACTION)) ++ (oplock & CIFS_CREATE_ACTION)) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode, + (__u64)current->euid, +@@ -256,7 +257,7 @@ cifs_create(struct inode *inode, struct + 0 /* dev */, + cifs_sb->local_nls); + } +- else { ++ } else { + /* BB implement via Windows security descriptors */ + /* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/ + /* could set r/o dos attribute if mode & 0222 == 0 */ +@@ -356,6 +357,7 @@ int cifs_mknod(struct inode *inode, stru + rc = -ENOMEM; + + if (full_path && (pTcon->ses->capabilities & CAP_UNIX)) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path, + mode,(__u64)current->euid,(__u64)current->egid, +diff -urpN kernel-source-2.6.8.orig/fs/cifs/inode.c kernel-source-2.6.8/fs/cifs/inode.c +--- kernel-source-2.6.8.orig/fs/cifs/inode.c 2004-08-13 23:36:11.000000000 -0600 ++++ kernel-source-2.6.8/fs/cifs/inode.c 2008-02-13 14:07:24.000000000 -0700 +@@ -480,7 +480,8 @@ cifs_mkdir(struct inode *inode, struct d + d_instantiate(direntry, newinode); + if(direntry->d_inode) + direntry->d_inode->i_nlink = 2; +- if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) ++ if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode, + (__u64)current->euid, +@@ -494,7 +495,7 @@ cifs_mkdir(struct inode *inode, struct d + 0 /* dev_t */, + cifs_sb->local_nls); + } +- else { /* BB to be implemented via Windows secrty descriptors*/ ++ } else { /* BB to be implemented via Windows secrty descriptors*/ + /* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/ + } + } only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/compat_sys_mount-NULL-data_page.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch @@ -0,0 +1,39 @@ +From: Andrey Mirkin +Date: Thu, 7 Dec 2006 04:31:35 +0000 (-0800) +Subject: [PATCH] skip data conversion in compat_sys_mount when data_page is NULL +X-Git-Tag: v2.6.20~683^2^2~360 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab + +[PATCH] skip data conversion in compat_sys_mount when data_page is NULL + +OpenVZ Linux kernel team has found a problem with mounting in compat mode. + +Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode +leads to oops: + + Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: compat_sys_mount+0xd6/0x290 + Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0) + Call Trace: ia32_sysret+0x0/0xa + +The problem is that data_page pointer can be NULL, so we should skip data +conversion in this case. + +Signed-off-by: Andrey Mirkin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff --git a/fs/compat.c b/fs/compat.c +index 06dad66..7aef541 100644 +--- a/fs/compat.c ++++ b/fs/compat.c +@@ -871,7 +871,7 @@ asmlinkage long compat_sys_mount(char __user * dev_name, char __user * dir_name, + + retval = -EINVAL; + +- if (type_page) { ++ if (type_page && data_page) { + if (!strcmp((char *)type_page, SMBFS_NAME)) { + do_smb_super_data_conv((void *)data_page); + } else if (!strcmp((char *)type_page, NCPFS_NAME)) { only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/reset-pdeathsig-on-suid.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch @@ -0,0 +1,49 @@ +From: Marcel Holtmann +Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200) +Subject: Reset current->pdeath_signal on SUID binary execution +X-Git-Tag: v2.6.23-rc4~134 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f + +Reset current->pdeath_signal on SUID binary execution + +This fixes a vulnerability in the "parent process death signal" +implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. +and iSEC Security Research. + +http://marc.info/?l=bugtraq&m=118711306802632&w=2 + +Signed-off-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/fs/exec.c kernel-source-2.6.8/fs/exec.c +--- kernel-source-2.6.8.orig/fs/exec.c 2006-12-05 02:21:56.000000000 -0700 ++++ kernel-source-2.6.8/fs/exec.c 2007-08-29 01:04:35.912755102 -0600 +@@ -848,10 +848,13 @@ int flush_old_exec(struct linux_binprm * + + flush_thread(); + +- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || +- permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || +- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) ++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) { + current->mm->dumpable = 0; ++ current->pdeath_signal = 0; ++ } else if (permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || ++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { ++ current->mm->dumpable = 0; ++ } + + /* An exec changes our domain. We are no longer part of the thread + group */ +@@ -945,6 +948,8 @@ static inline int unsafe_exec(struct tas + void compute_creds(struct linux_binprm *bprm) + { + int unsafe; ++ if (bprm->e_uid != current->uid) ++ current->pdeath_signal = 0; + task_lock(current); + unsafe = unsafe_exec(current); + security_bprm_apply_creds(bprm, unsafe); only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/hugetlb-prio_tree-unit-fix.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch @@ -0,0 +1,88 @@ +From: Hugh Dickins +Date: Sat, 28 Oct 2006 17:38:43 +0000 (-0700) +Subject: [PATCH] hugetlb: fix prio_tree unit +X-Git-Tag: v2.6.19-rc4~50 +X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=856fc29505556cf263f3dcda2533cf3766c14ab6 + +[PATCH] hugetlb: fix prio_tree unit + +hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in +units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas +its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be +absurdly sparse). + +At first I thought the error benign, just calling __unmap_hugepage_range on +more vmas than necessary; but on 32-bit machines, when the prio_tree is +searched correctly, it happens to ensure the v_offset calculation won't +overflow. As it stood, when truncating at or beyond 4GB, it was liable to +discard pages COWed from lower offsets; or even to clear pmd entries of +preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes). + +Signed-off-by: Hugh Dickins +Cc: Adam Litke +Cc: David Gibson +Cc: "Chen, Kenneth W" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c kernel-source-2.6.8/fs/hugetlbfs/inode.c +--- kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c 2004-08-13 23:37:40.000000000 -0600 ++++ kernel-source-2.6.8/fs/hugetlbfs/inode.c 2008-02-13 14:54:51.000000000 -0700 +@@ -265,28 +265,26 @@ static void hugetlbfs_drop_inode(struct + hugetlbfs_forget_inode(inode); + } + +-/* +- * h_pgoff is in HPAGE_SIZE units. +- * vma->vm_pgoff is in PAGE_SIZE units. +- */ + static inline void +-hugetlb_vmtruncate_list(struct prio_tree_root *root, unsigned long h_pgoff) ++hugetlb_vmtruncate_list(struct prio_tree_root *root, pgoff_t pgoff) + { + struct vm_area_struct *vma = NULL; + struct prio_tree_iter iter; + + while ((vma = vma_prio_tree_next(vma, root, &iter, +- h_pgoff, ULONG_MAX)) != NULL) { +- unsigned long h_vm_pgoff; ++ pgoff, ULONG_MAX)) != NULL) { + unsigned long v_length; + unsigned long v_offset; + +- h_vm_pgoff = vma->vm_pgoff >> (HPAGE_SHIFT - PAGE_SHIFT); +- v_offset = (h_pgoff - h_vm_pgoff) << HPAGE_SHIFT; + /* +- * Is this VMA fully outside the truncation point? ++ * Can the expression below overflow on 32-bit arches? ++ * No, because the prio_tree returns us only those vmas ++ * which overlap the truncated area starting at pgoff, ++ * and no vma on a 32-bit arch can span beyond the 4GB. + */ +- if (h_vm_pgoff >= h_pgoff) ++ if (vma->vm_pgoff < pgoff) ++ v_offset = (pgoff - vma->vm_pgoff) << PAGE_SHIFT; ++ else + v_offset = 0; + + v_length = vma->vm_end - vma->vm_start; +@@ -302,14 +300,14 @@ hugetlb_vmtruncate_list(struct prio_tree + */ + static int hugetlb_vmtruncate(struct inode *inode, loff_t offset) + { +- unsigned long pgoff; ++ pgoff_t pgoff; + struct address_space *mapping = inode->i_mapping; + + if (offset > inode->i_size) + return -EINVAL; + + BUG_ON(offset & ~HPAGE_MASK); +- pgoff = offset >> HPAGE_SHIFT; ++ pgoff = offset >> PAGE_SHIFT; + + inode->i_size = offset; + spin_lock(&mapping->i_mmap_lock); only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/isdn-net-overflow.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/isdn-net-overflow.dpatch @@ -0,0 +1,54 @@ +From: Karsten Keil +Date: Thu, 22 Nov 2007 11:43:13 +0000 (+0100) +Subject: isdn: avoid copying overly-long strings +X-Git-Tag: v2.6.24-rc4~110 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40 + +isdn: avoid copying overly-long strings + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 + +Signed-off-by: Karsten Keil +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff -urpN linux-source-2.6.18.orig/drivers/isdn/i4l/isdn_net.c linux-source-2.6.18/drivers/isdn/i4l/isdn_net.c +--- linux-source-2.6.18.orig/drivers/isdn/i4l/isdn_net.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/drivers/isdn/i4l/isdn_net.c 2007-12-04 09:39:24.000000000 -0700 +@@ -2125,7 +2125,7 @@ isdn_net_find_icall(int di, int ch, int + u_long flags; + isdn_net_dev *p; + isdn_net_phone *n; +- char nr[32]; ++ char nr[ISDN_MSNLEN]; + char *my_eaz; + + /* Search name in netdev-chain */ +@@ -2134,7 +2134,7 @@ isdn_net_find_icall(int di, int ch, int + nr[1] = '\0'; + printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n"); + } else +- strcpy(nr, setup->phone); ++ strlcpy(nr, setup->phone, ISDN_MSNLEN); + si1 = (int) setup->si1; + si2 = (int) setup->si2; + if (!setup->eazmsn[0]) { +@@ -2803,7 +2803,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg + chidx = -1; + } + } +- strcpy(lp->msn, cfg->eaz); ++ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn)); + lp->pre_device = drvidx; + lp->pre_channel = chidx; + lp->onhtime = cfg->onhtime; +@@ -2952,7 +2952,7 @@ isdn_net_addphone(isdn_net_ioctl_phone * + if (p) { + if (!(n = (isdn_net_phone *) kmalloc(sizeof(isdn_net_phone), GFP_KERNEL))) + return -ENOMEM; +- strcpy(n->num, phone->phone); ++ strlcpy(n->num, phone->phone, sizeof(n->num)); + n->next = p->local->phone[phone->outgoing & 1]; + p->local->phone[phone->outgoing & 1] = n; + return 0; only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/i4l-isdn_ioctl-mem-overrun.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/i4l-isdn_ioctl-mem-overrun.dpatch @@ -0,0 +1,56 @@ +From: Karsten Keil +Date: Sat, 1 Dec 2007 20:16:15 +0000 (-0800) +Subject: I4L: fix isdn_ioctl memory overrun vulnerability +X-Git-Tag: v2.6.24-rc4~16 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a + +I4L: fix isdn_ioctl memory overrun vulnerability + +Fix possible memory overrun issue in the isdn ioctl code. + +Found by ADLAB + +Signed-off-by: Karsten Keil +Cc: ADLAB +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c +index c6df292..d695295 100644 +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; +@@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + if (copy_from_user(&iocts, argp, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + drvidx = -1; + for (i = 0; i < ISDN_MAX_DRIVERS; i++) +@@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + } else { + p = (char __user *) iocts.arg; + for (i = 0; i < 10; i++) { +- sprintf(bname, "%s%s", ++ snprintf(bname, sizeof(bname), "%s%s", + strlen(dev->drv[drvidx]->msn2eaz[i]) ? + dev->drv[drvidx]->msn2eaz[i] : "_", + (i < 9) ? "," : "\0"); +@@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + char *p; + if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/minixfs-printk-hang.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch @@ -0,0 +1,69 @@ +commit f44ec6f3f89889a469773b1fd894f8fcc07c29cf +Author: Eric Sandeen +Date: Tue Oct 16 23:27:15 2007 -0700 + + limit minixfs printks on corrupted dir i_size + + This attempts to address CVE-2006-6058 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 + + first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html + + Essentially a corrupted minix dir inode reporting a very large + i_size will loop for a very long time in minix_readdir, minix_find_entry, + etc, because on EIO they just move on to try the next page. This is + under the BKL, printk-storming as well. This can lock up the machine + for a very long time. Simply ratelimiting the printks gets things back + under control. Make the message a bit more informative while we're here. + + Signed-off-by: Eric Sandeen + Cc: Bodo Eggert <7eggert@gmx.de> + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +Backported to Debian's 2.6.8 by dann frazier + +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v1.c kernel-source-2.6.8/fs/minix/itree_v1.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v1.c 2004-08-13 23:38:10.000000000 -0600 ++++ kernel-source-2.6.8/fs/minix/itree_v1.c 2008-02-08 14:33:09.000000000 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block < 0) { +- printk("minix_bmap: block<0"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { +- printk("minix_bmap: block>big"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 512) { +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v2.c kernel-source-2.6.8/fs/minix/itree_v2.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v2.c 2004-08-13 23:37:39.000000000 -0600 ++++ kernel-source-2.6.8/fs/minix/itree_v2.c 2008-02-08 14:33:56.000000000 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block < 0) { +- printk("minix_bmap: block<0"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { +- printk("minix_bmap: block>big"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 256) { only in patch2: unchanged: --- kernel-source-2.6.8-2.6.8.orig/debian/patches/ext2-skip-pages-past-num-blocks.dpatch +++ kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch @@ -0,0 +1,42 @@ +commit d8adb9cef7e406a9a82881695097c702bc98422f +Author: Eric Sandeen +Date: Sat Feb 10 01:45:06 2007 -0800 + + [PATCH] ext2: skip pages past number of blocks in ext2_find_entry + + This one was pointed out on the MOKB site: + http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + + If a directory's i_size is corrupted, ext2_find_entry() will keep + processing pages until the i_size is reached, even if there are no more + blocks associated with the directory inode. This patch puts in some + minimal sanity-checking so that we don't keep checking pages (and issuing + errors) if we know there can be no more data to read, based on the block + count of the directory inode. + + This is somewhat similar in approach to the ext3 patch I sent earlier this + year. + + Signed-off-by: Eric Sandeen + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 0b02ba9..e89bfc8 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n >= npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) { ++ ext2_error(dir->i_sb, __FUNCTION__, ++ "dir %lu size %lld exceeds block count %llu", ++ dir->i_ino, dir->i_size, ++ (unsigned long long)dir->i_blocks); ++ goto out; ++ } + } while (n != start); + out: + return NULL;