Author: dannf Date: Fri Nov 10 23:28:49 2006 New Revision: 7737 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/233_ia64-sparc-cross-region-mappings.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Log: * 233_ia64-sparc-cross-region-mappings.diff [SECURITY] Prevent cross-region mappings on ia64 and sparc which could be used in a local DoS attack (system crash) See CVE-2006-4538
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri Nov 10 23:28:49 2006 @@ -1,3 +1,12 @@ +kernel-source-2.4.27 (2.4.27-10sarge5) UNRELEASED; urgency=low + + * 233_ia64-sparc-cross-region-mappings.diff + [SECURITY] Prevent cross-region mappings on ia64 and sparc which + could be used in a local DoS attack (system crash) + See CVE-2006-4538 + + -- dann frazier <[EMAIL PROTECTED]> Fri, 10 Nov 2006 15:22:03 -0700 + kernel-source-2.4.27 (2.4.27-10sarge4) stable-security; urgency=high * [ERRATA] 213_madvise_remove-restrict.diff Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/233_ia64-sparc-cross-region-mappings.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/233_ia64-sparc-cross-region-mappings.diff Fri Nov 10 23:28:49 2006 @@ -0,0 +1,284 @@ +From: Kirill Korotaev <[EMAIL PROTECTED]> +Date: Thu, 7 Sep 2006 10:17:04 +0000 (+0400) +Subject: [PATCH] IA64,sparc: local DoS with corrupted ELFs +X-Git-Tag: v2.6.18-rc7 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a459756810912d2c2bf188cef566af255936b4d + +[PATCH] IA64,sparc: local DoS with corrupted ELFs + +This prevents cross-region mappings on IA64 and SPARC which could lead +to system crash. They were correctly trapped for normal mmap() calls, +but not for the kernel internal calls generated by executable loading. + +This code just moves the architecture-specific cross-region checks into +an arch-specific "arch_mmap_check()" macro, and defines that for the +architectures that needed it (ia64, sparc and sparc64). + +Architectures that don't have any special requirements can just ignore +the new cross-region check, since the mmap() code will just notice on +its own when the macro isn't defined. + +Signed-off-by: Pavel Emelianov <[EMAIL PROTECTED]> +Signed-off-by: Kirill Korotaev <[EMAIL PROTECTED]> +Acked-by: David Miller <[EMAIL PROTECTED]> +Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]> +[ Cleaned up to not affect architectures that don't need it ] +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.4.27 by dann frazier <[EMAIL PROTECTED]> + +diff -urN kernel-source-2.4.27.orig/arch/ia64/kernel/sys_ia64.c kernel-source-2.4.27/arch/ia64/kernel/sys_ia64.c +--- kernel-source-2.4.27.orig/arch/ia64/kernel/sys_ia64.c 2004-02-18 06:36:30.000000000 -0700 ++++ kernel-source-2.4.27/arch/ia64/kernel/sys_ia64.c 2006-11-10 14:55:23.826974151 -0700 +@@ -174,10 +174,25 @@ + return retval; + } + ++int ia64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags) ++{ ++ unsigned long roff; ++ ++ /* ++ * Don't permit mappings into unmapped space, the virtual page table ++ * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is ++ * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0. ++ */ ++ roff = rgn_offset(addr); ++ if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) ++ return -EINVAL; ++ return 0; ++} ++ + static inline unsigned long + do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff) + { +- unsigned long roff; + struct file *file = 0; + + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); +@@ -200,17 +215,6 @@ + if (len == 0) + goto out; + +- /* +- * Don't permit mappings into unmapped space, the virtual page table of a region, +- * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE +- * (for some integer n <= 61) and len > 0. +- */ +- roff = rgn_offset(addr); +- if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) { +- addr = -EINVAL; +- goto out; +- } +- + down_write(¤t->mm->mmap_sem); + addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + up_write(¤t->mm->mmap_sem); +diff -urN kernel-source-2.4.27.orig/arch/sparc/kernel/sys_sparc.c kernel-source-2.4.27/arch/sparc/kernel/sys_sparc.c +--- kernel-source-2.4.27.orig/arch/sparc/kernel/sys_sparc.c 2003-08-25 05:44:40.000000000 -0600 ++++ kernel-source-2.4.27/arch/sparc/kernel/sys_sparc.c 2006-11-09 17:32:38.000000000 -0700 +@@ -217,6 +217,21 @@ + return err; + } + ++int sparc_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) ++{ ++ if (ARCH_SUN4C_SUN4 && ++ (len > 0x20000000 || ++ ((flags & MAP_FIXED) && ++ addr < 0xe0000000 && addr + len > 0x20000000))) ++ return -EINVAL; ++ ++ /* See asm-sparc/uaccess.h */ ++ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) ++ return -EINVAL; ++ ++ return 0; ++} ++ + /* Linux version of mmap */ + static unsigned long do_mmap2(unsigned long addr, unsigned long len, + unsigned long prot, unsigned long flags, unsigned long fd, +@@ -231,25 +246,13 @@ + goto out; + } + +- retval = -EINVAL; + len = PAGE_ALIGN(len); +- if (ARCH_SUN4C_SUN4 && +- (len > 0x20000000 || +- ((flags & MAP_FIXED) && +- addr < 0xe0000000 && addr + len > 0x20000000))) +- goto out_putf; +- +- /* See asm-sparc/uaccess.h */ +- if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) +- goto out_putf; +- + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); + + down_write(¤t->mm->mmap_sem); + retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + up_write(¤t->mm->mmap_sem); + +-out_putf: + if (file) + fput(file); + out: +diff -urN kernel-source-2.4.27.orig/arch/sparc64/kernel/sys_sparc.c kernel-source-2.4.27/arch/sparc64/kernel/sys_sparc.c +--- kernel-source-2.4.27.orig/arch/sparc64/kernel/sys_sparc.c 2003-08-25 05:44:40.000000000 -0600 ++++ kernel-source-2.4.27/arch/sparc64/kernel/sys_sparc.c 2006-11-10 15:01:00.453490534 -0700 +@@ -281,6 +281,23 @@ + return ret; + } + ++int sparc64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags) ++{ ++ if (current->thread.flags & SPARC_FLAG_32BIT) { ++ if (len > 0xf0000000UL || ++ ((flags & MAP_FIXED) && addr > 0xf0000000UL - len)) ++ return -EINVAL; ++ } else { ++ if (len > -PAGE_OFFSET || ++ ((flags & MAP_FIXED) && ++ addr < PAGE_OFFSET && addr + len > -PAGE_OFFSET)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /* Linux version of mmap */ + asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, + unsigned long prot, unsigned long flags, unsigned long fd, +@@ -296,24 +313,11 @@ + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); + len = PAGE_ALIGN(len); +- retval = -EINVAL; +- +- if (current->thread.flags & SPARC_FLAG_32BIT) { +- if (len > 0xf0000000UL || +- ((flags & MAP_FIXED) && addr > 0xf0000000UL - len)) +- goto out_putf; +- } else { +- if (len > -PAGE_OFFSET || +- ((flags & MAP_FIXED) && +- addr < PAGE_OFFSET && addr + len > -PAGE_OFFSET)) +- goto out_putf; +- } + + down_write(¤t->mm->mmap_sem); + retval = do_mmap(file, addr, len, prot, flags, off); + up_write(¤t->mm->mmap_sem); + +-out_putf: + if (file) + fput(file); + out: +diff -urN kernel-source-2.4.27.orig/include/asm-ia64/mman.h kernel-source-2.4.27/include/asm-ia64/mman.h +--- kernel-source-2.4.27.orig/include/asm-ia64/mman.h 2004-04-14 07:05:40.000000000 -0600 ++++ kernel-source-2.4.27/include/asm-ia64/mman.h 2006-11-09 17:32:38.000000000 -0700 +@@ -45,4 +45,12 @@ + #define MAP_ANON MAP_ANONYMOUS + #define MAP_FILE 0 + ++#ifdef __KERNEL__ ++#ifndef __ASSEMBLY__ ++#define arch_mmap_check ia64_mmap_check ++int ia64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++#endif ++ + #endif /* _ASM_IA64_MMAN_H */ +diff -urN kernel-source-2.4.27.orig/include/asm-sparc/mman.h kernel-source-2.4.27/include/asm-sparc/mman.h +--- kernel-source-2.4.27.orig/include/asm-sparc/mman.h 2003-06-13 08:51:38.000000000 -0600 ++++ kernel-source-2.4.27/include/asm-sparc/mman.h 2006-11-09 17:32:38.000000000 -0700 +@@ -53,4 +53,12 @@ + #define MAP_ANON MAP_ANONYMOUS + #define MAP_FILE 0 + ++#ifdef __KERNEL__ ++#ifndef __ASSEMBLY__ ++#define arch_mmap_check sparc_mmap_check ++int sparc_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++#endif ++ + #endif /* __SPARC_MMAN_H__ */ +diff -urN kernel-source-2.4.27.orig/include/asm-sparc64/mman.h kernel-source-2.4.27/include/asm-sparc64/mman.h +--- kernel-source-2.4.27.orig/include/asm-sparc64/mman.h 2003-06-13 08:51:38.000000000 -0600 ++++ kernel-source-2.4.27/include/asm-sparc64/mman.h 2006-11-09 17:32:38.000000000 -0700 +@@ -53,4 +53,12 @@ + #define MAP_ANON MAP_ANONYMOUS + #define MAP_FILE 0 + ++#ifdef __KERNEL__ ++#ifndef __ASSEMBLY__ ++#define arch_mmap_check sparc64_mmap_check ++int sparc64_mmap_check(unsigned long addr, unsigned long len, ++ unsigned long flags); ++#endif ++#endif ++ + #endif /* __SPARC64_MMAN_H__ */ +diff -urN kernel-source-2.4.27.orig/mm/mmap.c kernel-source-2.4.27/mm/mmap.c +--- kernel-source-2.4.27.orig/mm/mmap.c 2006-09-13 23:34:47.000000000 -0600 ++++ kernel-source-2.4.27/mm/mmap.c 2006-11-09 17:43:30.000000000 -0700 +@@ -19,6 +19,10 @@ + #include <asm/uaccess.h> + #include <asm/pgalloc.h> + ++#ifndef arch_mmap_check ++#define arch_mmap_check(addr, len, flags) (0) ++#endif ++ + /* + * WARNING: the debugging will use recursive algorithms so never enable this + * unless you know what you are doing. +@@ -412,6 +416,10 @@ + if (!len) + return addr; + ++ error = arch_mmap_check(addr, len, flags); ++ if (error) ++ return error; ++ + len = PAGE_ALIGN(len); + + if (len > TASK_SIZE || len == 0) +@@ -1042,6 +1050,7 @@ + struct vm_area_struct * vma, * prev; + unsigned long flags; + rb_node_t ** rb_link, * rb_parent; ++ int error; + + len = PAGE_ALIGN(len); + if (!len) +@@ -1050,6 +1059,12 @@ + if ((addr + len) > TASK_SIZE || (addr + len) < addr) + return -EINVAL; + ++ flags = VM_DATA_DEFAULT_FLAGS | mm->def_flags; ++ ++ error = arch_mmap_check(addr, len, flags); ++ if (error) ++ return error; ++ + /* + * mlock MCL_FUTURE? + */ +@@ -1082,8 +1097,6 @@ + if (!vm_enough_memory(len >> PAGE_SHIFT)) + return -ENOMEM; + +- flags = VM_DATA_DEFAULT_FLAGS | mm->def_flags; +- + /* Can we just expand an old anonymous mapping? */ + if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len, flags)) + goto out; Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5 ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5 Fri Nov 10 23:28:49 2006 @@ -0,0 +1 @@ ++ 233_ia64-sparc-cross-region-mappings.diff _______________________________________________ Kernel-svn-changes mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
