Author: dannf Date: Thu Sep 20 14:34:52 2007 New Revision: 9538 Log: * bugfix/ptrace-handle-bogus-selector.patch, bugfix/fixup-trace_irq-breakage.patch [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field) during ptrace single-step operations that can be used to trigger a NULL-pointer dereference causing an Oops.
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch dists/etch-security/linux-2.6/debian/patches/series/13etch3 Modified: dists/etch-security/linux-2.6/debian/changelog Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Thu Sep 20 14:34:52 2007 @@ -1,3 +1,13 @@ +linux-2.6 (2.6.18.dfsg.1-13etch3) UNRELEASED; urgency=low + + * bugfix/ptrace-handle-bogus-selector.patch, + bugfix/fixup-trace_irq-breakage.patch + [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field) + during ptrace single-step operations that can be used to trigger a + NULL-pointer dereference causing an Oops. + + -- dann frazier <[EMAIL PROTECTED]> Thu, 20 Sep 2007 08:24:55 -0600 + linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high * bugfix/ipv4-fib_props-out-of-bounds.patch Added: dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/fixup-trace_irq-breakage.patch Thu Sep 20 14:34:52 2007 @@ -0,0 +1,64 @@ +From: Peter Zijlstra <[EMAIL PROTECTED]> +Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200) +Subject: i386: fixup TRACE_IRQ breakage +X-Git-Tag: v2.6.23-rc1~491 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f + +i386: fixup TRACE_IRQ breakage + +The TRACE_IRQS_ON function in iret_exc: calls a C function without +ensuring that the segments are set properly. Move the trace function and +the enabling of interrupt into the C stub. + +Signed-off-by: Peter Zijlstra <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/entry.S linux-source-2.6.18/arch/i386/kernel/entry.S +--- linux-source-2.6.18.orig/arch/i386/kernel/entry.S 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/arch/i386/kernel/entry.S 2007-09-19 23:53:22.929573806 -0600 +@@ -384,8 +384,6 @@ restore_nocheck_notrace: + 1: iret + .section .fixup,"ax" + iret_exc: +- TRACE_IRQS_ON +- sti + pushl $0 # no error code + pushl $do_iret_error + jmp error_code +diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/traps.c linux-source-2.6.18/arch/i386/kernel/traps.c +--- linux-source-2.6.18.orig/arch/i386/kernel/traps.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/arch/i386/kernel/traps.c 2007-09-19 23:47:18.209575527 -0600 +@@ -516,10 +516,12 @@ fastcall void do_##name(struct pt_regs * + do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \ + } + +-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \ ++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \ + fastcall void do_##name(struct pt_regs * regs, long error_code) \ + { \ + siginfo_t info; \ ++ if (irq) \ ++ local_irq_enable(); \ + info.si_signo = signr; \ + info.si_errno = 0; \ + info.si_code = sicode; \ +@@ -559,13 +561,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3) + #endif + DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow) + DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds) +-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip) ++DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0) + DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun) + DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS) + DO_ERROR(11, SIGBUS, "segment not present", segment_not_present) + DO_ERROR(12, SIGBUS, "stack segment", stack_segment) +-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0) +-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0) ++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0) ++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1) + + fastcall void __kprobes do_general_protection(struct pt_regs * regs, + long error_code) Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/ptrace-handle-bogus-selector.patch Thu Sep 20 14:34:52 2007 @@ -0,0 +1,86 @@ +From: Roland McGrath <[EMAIL PROTECTED]> +Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700) +Subject: Handle bogus %cs selector in single-step instruction decoding +X-Git-Tag: v2.6.23-rc1~492 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8 + +Handle bogus %cs selector in single-step instruction decoding + +The code for LDT segment selectors was not robust in the face of a bogus +selector set in %cs via ptrace before the single-step was done. + +Signed-off-by: Roland McGrath <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Adjusted to apply to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c linux-source-2.6.18/arch/i386/kernel/ptrace.c +--- linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/arch/i386/kernel/ptrace.c 2007-09-19 23:45:45.949576125 -0600 +@@ -172,14 +172,22 @@ static unsigned long convert_eip_to_line + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } + return addr; +diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c +--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c 2007-09-19 23:45:45.953575027 -0600 +@@ -103,16 +103,25 @@ unsigned long convert_rip_to_linear(stru + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } ++ + return addr; + } + Added: dists/etch-security/linux-2.6/debian/patches/series/13etch3 ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/series/13etch3 Thu Sep 20 14:34:52 2007 @@ -0,0 +1,2 @@ ++ bugfix/ptrace-handle-bogus-selector.patch ++ bugfix/fixup-trace_irq-breakage.patch _______________________________________________ Kernel-svn-changes mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
