summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Buchholz <rbu@gentoo.org>2007-09-08 17:41:26 +0000
committerRobert Buchholz <rbu@gentoo.org>2007-09-08 17:41:26 +0000
commit2fd03079ac1a1451e96b28fa0ee30169996a989d (patch)
tree2efbc5a826423bda40b11f8be7ef4fc16814c263
parentReleasing 2.6.20-2 (diff)
downloadxen-2fd03079ac1a1451e96b28fa0ee30169996a989d.tar.gz
xen-2fd03079ac1a1451e96b28fa0ee30169996a989d.tar.bz2
xen-2fd03079ac1a1451e96b28fa0ee30169996a989d.zip
New 2.6.18 security patches for testing
svn path=/patches/; revision=41
-rw-r--r--trunk/2.6.18/00000_README25
-rw-r--r--trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch42
-rw-r--r--trunk/2.6.18/30027_cpuset_tasks-underflow.patch61
-rw-r--r--trunk/2.6.18/30028_random-bound-check-ordering.patch42
-rw-r--r--trunk/2.6.18/30029_cifs-fix-sign-settings.patch179
-rw-r--r--trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch40
6 files changed, 389 insertions, 0 deletions
diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 2cd2f31..905c7e4 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -136,6 +136,31 @@ Patches
30024_drm-i965.patch
Dependency for 30022_i965-secure-batchbuffer.patch
+30025_ipv4-fib_props-out-of-bounds.patch
+ [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
+ and check for out of bounds condition in index provided by userspace
+ See CVE-2007-2172
+
+30027_cpuset_tasks-underflow.patch
+ [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+ local attackers to read sensitive kernel memory if the cpuset filesystem
+ is mounted.
+ See CVE-2007-2875
+
+30028_random-bound-check-ordering.patch
+ [SECURITY] Fix stack-based buffer overflow in the random number
+ generator
+ See CVE-2007-3105
+
+30029_cifs-fix-sign-settings.patch
+ [SECURITY] Fix overriding the server to force signing on caused by
+ checking the wrong gloal variable.
+ See CVE-2007-3843
+
+30030_aacraid-ioctl-perm-check.patch
+ [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
+ See CVE-2007-4308
+
50001_make-install.patch
Handle make install in a semi-sane way that plays nice with
split domU/dom0 kernels.
diff --git a/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch b/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch
new file mode 100644
index 0000000..3fb091d
--- /dev/null
+++ b/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch
@@ -0,0 +1,42 @@
+From: Thomas Graf <tgraf@suug.ch>
+Date: Sun, 25 Mar 2007 03:32:54 +0000 (-0700)
+Subject: [IPv4] fib: Fix out of bound access of fib_props[]
+X-Git-Tag: v2.6.21~241^2~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e
+
+[IPv4] fib: Fix out of bound access of fib_props[]
+
+Fixes a typo which caused fib_props[] to have the wrong size
+and makes sure the value used to index the array which is
+provided by userspace via netlink is checked to avoid out of
+bound access.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>, heavily
+based upon Tim Gardner's backport for Ubuntu:
+ http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=6e87288e83ac08e7154980795622efdafd49c9c8
+
+--- linux-source-2.6.18.orig/net/ipv4/fib_semantics.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/fib_semantics.c 2007-08-27 22:15:04.678316443 -0600
+@@ -88,7 +88,7 @@ static const struct
+ {
+ int error;
+ u8 scope;
+-} fib_props[RTA_MAX + 1] = {
++} fib_props[RTN_MAX + 1] = {
+ {
+ .error = 0,
+ .scope = RT_SCOPE_NOWHERE,
+@@ -662,6 +662,9 @@ fib_create_info(const struct rtmsg *r, s
+ u32 mp_alg = IP_MP_ALG_NONE;
+ #endif
+
++ if (r->rtm_type > RTN_MAX)
++ goto err_inval;
++
+ /* Fast check to catch the most weird cases */
+ if (fib_props[r->rtm_type].scope > r->rtm_scope)
+ goto err_inval;
diff --git a/trunk/2.6.18/30027_cpuset_tasks-underflow.patch b/trunk/2.6.18/30027_cpuset_tasks-underflow.patch
new file mode 100644
index 0000000..254ce0f
--- /dev/null
+++ b/trunk/2.6.18/30027_cpuset_tasks-underflow.patch
@@ -0,0 +1,61 @@
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
+Subject: use simple_read_from_buffer in kernel/
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
+
+use simple_read_from_buffer in kernel/
+
+Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
+/proc/config.gz.
+
+Cc: Paul Jackson <pj@sgi.com>
+Cc: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c
+--- linux-source-2.6.18.orig/kernel/configs.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/configs.c 2007-08-27 22:30:10.774211736 -0600
+@@ -61,18 +61,9 @@ static ssize_t
+ ikconfig_read_current(struct file *file, char __user *buf,
+ size_t len, loff_t * offset)
+ {
+- loff_t pos = *offset;
+- ssize_t count;
+-
+- if (pos >= kernel_config_data_size)
+- return 0;
+-
+- count = min(len, (size_t)(kernel_config_data_size - pos));
+- if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
+- return -EFAULT;
+-
+- *offset += count;
+- return count;
++ return simple_read_from_buffer(buf, len, offset,
++ kernel_config_data + MAGIC_SIZE,
++ kernel_config_data_size);
+ }
+
+ static struct file_operations ikconfig_file_ops = {
+diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c
+--- linux-source-2.6.18.orig/kernel/cpuset.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/cpuset.c 2007-08-27 22:30:10.778211823 -0600
+@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct
+ {
+ struct ctr_struct *ctr = file->private_data;
+
+- if (*ppos + nbytes > ctr->bufsz)
+- nbytes = ctr->bufsz - *ppos;
+- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+- return -EFAULT;
+- *ppos += nbytes;
+- return nbytes;
++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
diff --git a/trunk/2.6.18/30028_random-bound-check-ordering.patch b/trunk/2.6.18/30028_random-bound-check-ordering.patch
new file mode 100644
index 0000000..f2e9ab5
--- /dev/null
+++ b/trunk/2.6.18/30028_random-bound-check-ordering.patch
@@ -0,0 +1,42 @@
+From: Matt Mackall <mpm@selenic.com>
+Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
+Subject: random: fix bound check ordering (CVE-2007-3105)
+X-Git-Tag: v2.6.23-rc1~259
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
+
+random: fix bound check ordering (CVE-2007-3105)
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <pageexec@freemail.hu>)
+
+Cc: Theodore Tso <tytso@mit.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 7f52712..397c714 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+
+ if (r->pull && r->entropy_count < nbytes * 8 &&
+ r->entropy_count < r->poolinfo->POOLBITS) {
+- int bytes = max_t(int, random_read_wakeup_thresh / 8,
+- min_t(int, nbytes, sizeof(tmp)));
++ /* If we're limited, always leave two wakeup worth's BITS */
+ int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
++ int bytes = nbytes;
++
++ /* pull at least as many as BYTES as wakeup BITS */
++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++ /* but never more than the buffer size */
++ bytes = min_t(int, bytes, sizeof(tmp));
+
+ DEBUG_ENT("going to reseed %s with %d bits "
+ "(%d of %d requested)\n",
diff --git a/trunk/2.6.18/30029_cifs-fix-sign-settings.patch b/trunk/2.6.18/30029_cifs-fix-sign-settings.patch
new file mode 100644
index 0000000..11f8021
--- /dev/null
+++ b/trunk/2.6.18/30029_cifs-fix-sign-settings.patch
@@ -0,0 +1,179 @@
+From: Steve French <sfrench@us.ibm.com>
+Date: Thu, 28 Jun 2007 18:41:42 +0000 (+0000)
+Subject: [CIFS] Fix sign mount option and sign proc config setting
+X-Git-Tag: v2.6.23-rc1~478^2~20
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=762e5ab77c803c819e45d054518a98efb70b0f60
+
+[CIFS] Fix sign mount option and sign proc config setting
+
+We were checking the wrong (old) global variable to determine
+whether to override server and force signing on the SMB
+connection.
+
+Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/cifs_debug.c linux-source-2.6.18/fs/cifs/cifs_debug.c
+--- linux-source-2.6.18.orig/fs/cifs/cifs_debug.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/cifs_debug.c 2007-08-27 23:12:40.666200121 -0600
+@@ -895,90 +895,14 @@ security_flags_write(struct file *file,
+ }
+ /* flags look ok - update the global security flags for cifs module */
+ extended_security = flags;
++ if (extended_security & CIFSSEC_MUST_SIGN) {
++ /* requiring signing implies signing is allowed */
++ extended_security |= CIFSSEC_MAY_SIGN;
++ cFYI(1, ("packet signing now required"));
++ } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
++ cFYI(1, ("packet signing disabled"));
++ }
++ /* BB should we turn on MAY flags for other MUST options? */
+ return count;
+ }
+-
+-/* static int
+-ntlmv2_enabled_read(char *page, char **start, off_t off,
+- int count, int *eof, void *data)
+-{
+- int len;
+-
+- len = sprintf(page, "%d\n", ntlmv2_support);
+-
+- len -= off;
+- *start = page + off;
+-
+- if (len > count)
+- len = count;
+- else
+- *eof = 1;
+-
+- if (len < 0)
+- len = 0;
+-
+- return len;
+-}
+-static int
+-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
+- unsigned long count, void *data)
+-{
+- char c;
+- int rc;
+-
+- rc = get_user(c, buffer);
+- if (rc)
+- return rc;
+- if (c == '0' || c == 'n' || c == 'N')
+- ntlmv2_support = 0;
+- else if (c == '1' || c == 'y' || c == 'Y')
+- ntlmv2_support = 1;
+- else if (c == '2')
+- ntlmv2_support = 2;
+-
+- return count;
+-}
+-
+-static int
+-packet_signing_enabled_read(char *page, char **start, off_t off,
+- int count, int *eof, void *data)
+-{
+- int len;
+-
+- len = sprintf(page, "%d\n", sign_CIFS_PDUs);
+-
+- len -= off;
+- *start = page + off;
+-
+- if (len > count)
+- len = count;
+- else
+- *eof = 1;
+-
+- if (len < 0)
+- len = 0;
+-
+- return len;
+-}
+-static int
+-packet_signing_enabled_write(struct file *file, const char __user *buffer,
+- unsigned long count, void *data)
+-{
+- char c;
+- int rc;
+-
+- rc = get_user(c, buffer);
+- if (rc)
+- return rc;
+- if (c == '0' || c == 'n' || c == 'N')
+- sign_CIFS_PDUs = 0;
+- else if (c == '1' || c == 'y' || c == 'Y')
+- sign_CIFS_PDUs = 1;
+- else if (c == '2')
+- sign_CIFS_PDUs = 2;
+-
+- return count;
+-} */
+-
+-
+ #endif
+diff -urpN linux-source-2.6.18.orig/fs/cifs/cifssmb.c linux-source-2.6.18/fs/cifs/cifssmb.c
+--- linux-source-2.6.18.orig/fs/cifs/cifssmb.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/cifssmb.c 2007-08-27 23:12:40.678200384 -0600
+@@ -411,11 +411,11 @@ CIFSSMBNegotiate(unsigned int xid, struc
+
+ /* if any of auth flags (ie not sign or seal) are overriden use them */
+ if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
+- secFlags = ses->overrideSecFlg;
++ secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */
+ else /* if override flags set only sign/seal OR them with global auth */
+ secFlags = extended_security | ses->overrideSecFlg;
+
+- cFYI(1,("secFlags 0x%x",secFlags));
++ cFYI(1, ("secFlags 0x%x", secFlags));
+
+ pSMB->hdr.Mid = GetNextMid(server);
+ pSMB->hdr.Flags2 |= SMBFLG2_UNICODE;
+@@ -582,22 +582,32 @@ CIFSSMBNegotiate(unsigned int xid, struc
+ #ifdef CONFIG_CIFS_WEAK_PW_HASH
+ signing_check:
+ #endif
+- if(sign_CIFS_PDUs == FALSE) {
++ if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
++ /* MUST_SIGN already includes the MAY_SIGN FLAG
++ so if this is zero it means that signing is disabled */
++ cFYI(1, ("Signing disabled"));
+ if(server->secMode & SECMODE_SIGN_REQUIRED)
+- cERROR(1,("Server requires "
+- "/proc/fs/cifs/PacketSigningEnabled to be on"));
++ cERROR(1, ("Server requires "
++ "/proc/fs/cifs/PacketSigningEnabled "
++ "to be on"));
+ server->secMode &=
+ ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
+- } else if(sign_CIFS_PDUs == 1) {
++ } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
++ /* signing required */
++ cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
++ if ((server->secMode &
++ (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
++ cERROR(1,
++ ("signing required but server lacks support"));
++ } else
++ server->secMode |= SECMODE_SIGN_REQUIRED;
++ } else {
++ /* signing optional ie CIFSSEC_MAY_SIGN */
+ if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
+ server->secMode &=
+ ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
+- } else if(sign_CIFS_PDUs == 2) {
+- if((server->secMode &
+- (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+- cERROR(1,("signing required but server lacks support"));
+- }
+ }
++
+ neg_err_exit:
+ cifs_buf_release(pSMB);
+
diff --git a/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch b/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch
new file mode 100644
index 0000000..cb2a516
--- /dev/null
+++ b/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch
@@ -0,0 +1,40 @@
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Date: Mon, 23 Jul 2007 13:51:05 +0000 (+0100)
+Subject: [SCSI] aacraid: Fix security hole
+X-Git-Tag: v2.6.23-rc2~164^2~24
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f
+
+[SCSI] aacraid: Fix security hole
+
+On the SCSI layer ioctl path there is no implicit permissions check for
+ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
+however allows all sorts of very admin only things to be done so should
+check.
+
+Signed-off-by: Alan Cox <alan@redhat.com>
+Acked-by: "Salyzyn, Mark" <mark_salyzyn@adaptec.com>
+Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+--- linux-source-2.6.18.orig/drivers/scsi/aacraid/linit.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/scsi/aacraid/linit.c 2007-08-27 23:27:41.805986591 -0600
+@@ -536,6 +536,8 @@ static int aac_cfg_open(struct inode *in
+ static int aac_cfg_ioctl(struct inode *inode, struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
+ return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
+ }
+
+@@ -589,6 +591,8 @@ static int aac_compat_ioctl(struct scsi_
+
+ static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ {
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
+ return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
+ }
+ #endif