Author: dannf
Date: Tue Sep 25 06:14:19 2007
New Revision: 9545
Log:
* bugfix/amd64-zero-extend-32bit-ptrace.patch
[SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
See CVE-2007-4573
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-zero-extend-32bit-ptrace.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Sep 25 06:14:19 2007
@@ -13,8 +13,11 @@
* bugfix/cifs-honor-umask.patch
[SECURITY] Make CIFS honor a process' umask
See CVE-2007-3740
+ * bugfix/amd64-zero-extend-32bit-ptrace.patch
+ [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
+ See CVE-2007-4573
- -- dann frazier <[EMAIL PROTECTED]> Mon, 24 Sep 2007 23:05:05 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Tue, 25 Sep 2007 00:12:13 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-zero-extend-32bit-ptrace.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-zero-extend-32bit-ptrace.patch
Tue Sep 25 06:14:19 2007
@@ -0,0 +1,88 @@
+From: Andi Kleen <[EMAIL PROTECTED]>
+Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200)
+Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path.
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567
+
+x86_64: Zero extend all registers after ptrace in 32bit entry path.
+
+Strictly it's only needed for eax.
+
+It actually does a little more than strictly needed -- the other registers
+are already zero extended.
+
+Also remove the now unnecessary and non functional compat task check
+in ptrace.
+
+This is CVE-2007-4573
+
+Found by Wojciech Purczynski
+
+Signed-off-by: Andi Kleen <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S
linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S
+--- linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S 2006-09-19
21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S 2007-09-25
00:10:16.089100799 -0600
+@@ -38,6 +38,18 @@
+ movq %rax,R8(%rsp)
+ .endm
+
++ .macro LOAD_ARGS32 offset
++ movl \offset(%rsp),%r11d
++ movl \offset+8(%rsp),%r10d
++ movl \offset+16(%rsp),%r9d
++ movl \offset+24(%rsp),%r8d
++ movl \offset+40(%rsp),%ecx
++ movl \offset+48(%rsp),%edx
++ movl \offset+56(%rsp),%esi
++ movl \offset+64(%rsp),%edi
++ movl \offset+72(%rsp),%eax
++ .endm
++
+ .macro CFI_STARTPROC32 simple
+ CFI_STARTPROC \simple
+ CFI_UNDEFINED r8
+@@ -151,7 +163,7 @@ sysenter_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ movl %ebp, %ebp
+ /* no need to do an access_ok check here because rbp has been
+@@ -253,7 +265,7 @@ cstar_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ movl RSP-ARGOFFSET(%rsp), %r8d
+ /* no need to do an access_ok check here because r8 has been
+@@ -330,7 +342,7 @@ ia32_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ jmp ia32_do_syscall
+ END(ia32_syscall)
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c
linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c 2006-09-19
21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c 2007-09-25
00:10:16.089100799 -0600
+@@ -223,10 +223,6 @@ static int putreg(struct task_struct *ch
+ {
+ unsigned long tmp;
+
+- /* Some code in the 64bit emulation may not be 64bit clean.
+- Don't take any chances. */
+- if (test_tsk_thread_flag(child, TIF_IA32))
+- value &= 0xffffffff;
+ switch (regno) {
+ case offsetof(struct user_regs_struct,fs):
+ if (value && (value & 3) != 3)
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch3 Tue Sep 25
06:14:19 2007
@@ -2,3 +2,4 @@
+ bugfix/fixup-trace_irq-breakage.patch
+ bugfix/prevent-stack-growth-into-hugetlb-region.patch
+ bugfix/cifs-honor-umask.patch
++ bugfix/amd64-zero-extend-32bit-ptrace.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
