Author: dannf
Date: Mon Nov 12 23:30:31 2007
New Revision: 9718
Log:
* 249_openpromfs-signedness-bug.diff
250_openpromfs-checks-1.diff
251_openpromfs-checks-2.diff
252_openpromfs-checks-3.diff
[SECURITY] Fix a number of data checks in openprom code
See CVE-2004-2731
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/249_openpromfs-signedness-bug.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/250_openpromfs-checks-1.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/251_openpromfs-checks-2.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/252_openpromfs-checks-3.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Mon Nov 12 23:30:31 2007
@@ -35,8 +35,14 @@
[SECURITY] Fix a bug in the random driver reseeding code that reduces
entropy by reseeding a smaller buffer size than expected
See CVE-2007-4311
-
- -- dann frazier <[EMAIL PROTECTED]> Wed, 07 Nov 2007 23:13:28 -0700
+ * 249_openpromfs-signedness-bug.diff
+ 250_openpromfs-checks-1.diff
+ 251_openpromfs-checks-2.diff
+ 252_openpromfs-checks-3.diff
+ [SECURITY] Fix a number of data checks in openprom code
+ See CVE-2004-2731
+
+ -- dann frazier <[EMAIL PROTECTED]> Mon, 12 Nov 2007 16:29:16 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/249_openpromfs-signedness-bug.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/249_openpromfs-signedness-bug.diff
Mon Nov 12 23:30:31 2007
@@ -0,0 +1,37 @@
+From: dann frazier <[EMAIL PROTECTED]>
+Date: Tue, 6 Nov 2007 22:36:46 +0000 (-0700)
+Subject: [PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=996bad4803a2ebfebe7b27a431fbcae591f7d199
+
+[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver
+
+CVE-2004-2731 describes two issues in the openprom driver.
+The first issue, an integer overflow in copyin_string(), appears to be
+fixed in 2.4. The second issue, an overflow in copyin(), is still present.
+
+A description of both issues is here:
+ http://www.securityfocus.com/archive/1/367575
+
+The user-provided 'bufsize' is checked for being too large, but is not checked
+for being negative. This patch avoids this situation by making bufsize
+unsigned.
+
+This change has been in 2.6 for a number of years now:
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=patch&REV=3d686423le0SEotURGfYEbgMpPGKqw
+
+Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+---
+
+diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
+index 7f74f9f..33e4ec7 100644
+--- a/drivers/sbus/char/openprom.c
++++ b/drivers/sbus/char/openprom.c
+@@ -68,7 +68,7 @@ static int options_node = 0;
+ */
+ static int copyin(struct openpromio *info, struct openpromio **opp_p)
+ {
+- int bufsize;
++ unsigned int bufsize;
+
+ if (!info || !opp_p)
+ return -EFAULT;
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/250_openpromfs-checks-1.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/250_openpromfs-checks-1.diff
Mon Nov 12 23:30:31 2007
@@ -0,0 +1,240 @@
+From: dann frazier <[EMAIL PROTECTED]>
+Date: Tue, 6 Nov 2007 22:37:30 +0000 (-0700)
+Subject: [PATCH 2/4] [OpenPROM]: Fix user-access checking bugs in openpromfs
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=a545dd4118eba7242bb390a76b2a1bb3dce0430e
+
+[PATCH 2/4] [OpenPROM]: Fix user-access checking bugs in openpromfs
+
+This patch backports a number of user-access checking fixes, originally
+submitted to 2.5 by Dave Miller:
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=3d686423le0SEotURGfYEbgMpPGKqw
+
+Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c
+index 8822345..8aca488 100644
+--- a/fs/openpromfs/inode.c
++++ b/fs/openpromfs/inode.c
+@@ -79,7 +79,8 @@ static ssize_t nodenum_read(struct file *file, char *buf,
+ return 0;
+ if (count > 9 - pos)
+ count = 9 - pos;
+- copy_to_user(buf, buffer + pos, count);
++ if (copy_to_user(buf, buffer + pos, count))
++ return -EFAULT;
+ *ppos = pos + count;
+ return count;
+ }
+@@ -187,7 +188,8 @@ static ssize_t property_read(struct file *filp, char *buf,
+ if (count > i - k) count = i - k;
+ if (op->flag & OPP_STRING) {
+ if (!k) {
+- __put_user('\'', buf);
++ if (put_user('\'', buf))
++ return -EFAULT;
+ k++;
+ count--;
+ }
+@@ -198,17 +200,21 @@ static ssize_t property_read(struct file *filp, char
*buf,
+ j = count;
+
+ if (j >= 0) {
+- copy_to_user(buf + k - pos,
+- op->value + k - 1, j);
++ if (copy_to_user(buf + k - pos,
++ op->value + k - 1, j))
++ return -EFAULT;
+ count -= j;
+ k += j;
+ }
+
+- if (count)
+- __put_user('\'', &buf [k++ - pos]);
+- if (count > 1)
+- __put_user('\n', &buf [k++ - pos]);
+-
++ if (count) {
++ if (put_user('\'', &buf [k++ - pos]))
++ return -EFAULT;
++ }
++ if (count > 1) {
++ if (put_user('\n', &buf [k++ - pos]))
++ return -EFAULT;
++ }
+ } else if (op->flag & OPP_STRINGLIST) {
+ char *tmp;
+
+@@ -228,7 +234,8 @@ static ssize_t property_read(struct file *filp, char *buf,
+ }
+ strcpy(s, "'\n");
+
+- copy_to_user(buf, tmp + k, count);
++ if (copy_to_user(buf, tmp + k, count))
++ return -EFAULT;
+
+ kfree(tmp);
+ k += count;
+@@ -246,27 +253,34 @@ static ssize_t property_read(struct file *filp, char
*buf,
+
+ if (first == last) {
+ sprintf (buffer, "%08x.", *first);
+- copy_to_user (buf, buffer + first_off, last_cnt -
first_off);
++ if (copy_to_user(buf, buffer + first_off,
++ last_cnt - first_off))
++ return -EFAULT;
+ buf += last_cnt - first_off;
+ } else {
+ for (q = first; q <= last; q++) {
+ sprintf (buffer, "%08x.", *q);
+ if (q == first) {
+- copy_to_user (buf, buffer + first_off,
+- 9 - first_off);
++ if (copy_to_user(buf, buffer +
first_off,
++ 9 - first_off))
++ return -EFAULT;
+ buf += 9 - first_off;
+ } else if (q == last) {
+- copy_to_user (buf, buffer, last_cnt);
++ if (copy_to_user(buf, buffer, last_cnt))
++ return -EFAULT;
+ buf += last_cnt;
+ } else {
+- copy_to_user (buf, buffer, 9);
++ if (copy_to_user(buf, buffer, 9))
++ return -EFAULT;
+ buf += 9;
+ }
+ }
+ }
+
+- if (last == (u32 *)(op->value + op->len - 4) && last_cnt == 9)
+- __put_user('\n', (buf - 1));
++ if (last == (u32 *)(op->value + op->len - 4) && last_cnt == 9) {
++ if (put_user('\n', (buf - 1)))
++ return -EFAULT;
++ }
+
+ k += count;
+
+@@ -275,24 +289,29 @@ static ssize_t property_read(struct file *filp, char
*buf,
+
+ if ((k < i - 1) && (k & 1)) {
+ sprintf (buffer, "%02x", *(op->value + (k >> 1)));
+- __put_user(buffer[1], &buf[k++ - pos]);
++ if (put_user(buffer[1], &buf[k++ - pos]))
++ return -EFAULT;
+ count--;
+ }
+
+ for (; (count > 1) && (k < i - 1); k += 2) {
+ sprintf (buffer, "%02x", *(op->value + (k >> 1)));
+- copy_to_user (buf + k - pos, buffer, 2);
++ if (copy_to_user (buf + k - pos, buffer, 2))
++ return -EFAULT;
+ count -= 2;
+ }
+
+ if (count && (k < i - 1)) {
+ sprintf (buffer, "%02x", *(op->value + (k >> 1)));
+- __put_user(buffer[0], &buf[k++ - pos]);
++ if (put_user(buffer[0], &buf[k++ - pos]))
++ return -EFAULT;
+ count--;
+ }
+
+- if (count)
+- __put_user('\n', &buf [k++ - pos]);
++ if (count) {
++ if (put_user('\n', &buf [k++ - pos]))
++ return -EFAULT;
++ }
+ }
+ count = k - pos;
+ *ppos = k;
+@@ -330,7 +349,8 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ if (j == 9) j = 0;
+ if (!j) {
+ char ctmp;
+- __get_user(ctmp, &buf[i]);
++ if (get_user(ctmp, &buf[i]))
++ return -EFAULT;
+ if (ctmp != '.') {
+ if (ctmp != '\n') {
+ if (op->flag & OPP_BINARY)
+@@ -345,7 +365,8 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ }
+ } else {
+ char ctmp;
+- __get_user(ctmp, &buf[i]);
++ if (get_user(ctmp, &buf[i]))
++ return -EFAULT;
+ if (ctmp < '0' ||
+ (ctmp > '9' && ctmp < 'A') ||
+ (ctmp > 'F' && ctmp < 'a') ||
+@@ -383,8 +404,10 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ last_cnt = (k + count) % 9;
+ if (first + 1 == last) {
+ memset (tmp, '0', 8);
+- copy_from_user (tmp + first_off, buf,
+- (count + first_off > 8) ? 8 - first_off
: count);
++ if (copy_from_user(tmp + first_off, buf,
++ (count + first_off > 8) ?
++ 8 - first_off : count))
++ return -EFAULT;
+ mask = 0xffffffff;
+ mask2 = 0xffffffff;
+ for (j = 0; j < first_off; j++)
+@@ -403,8 +426,10 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ if (q == first) {
+ if (first_off < 8) {
+ memset (tmp, '0', 8);
+- copy_from_user (tmp +
first_off, buf,
+- 8 - first_off);
++ if (copy_from_user(tmp +
first_off,
++ buf,
++ 8 -
first_off))
++ return -EFAULT;
+ mask = 0xffffffff;
+ for (j = 0; j < first_off; j++)
+ mask >>= 1;
+@@ -415,7 +440,8 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ } else if ((q == last - 1) && last_cnt
+ && (last_cnt < 8)) {
+ memset (tmp, '0', 8);
+- copy_from_user (tmp, buf, last_cnt);
++ if (copy_from_user(tmp, buf, last_cnt))
++ return -EFAULT;
+ mask = 0xffffffff;
+ for (j = 0; j < 8 - last_cnt; j++)
+ mask <<= 1;
+@@ -425,7 +451,8 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ } else {
+ char tchars[17]; /* XXX yuck... */
+
+- copy_from_user(tchars, buf, 16);
++ if (copy_from_user(tchars, buf, 16))
++ return -EFAULT;
+ *q = simple_strtoul (tchars, 0, 16);
+ buf += 9;
+ }
+@@ -449,7 +476,8 @@ write_try_string:
+ */
+ if (k > 0)
+ return -EINVAL;
+- __get_user(ctmp, buf);
++ if (get_user(ctmp, buf))
++ return -EFAULT;
+ if (ctmp == '\'') {
+ op->flag |= OPP_QUOTED;
+ buf++;
+@@ -482,7 +510,8 @@ write_try_string:
+ kfree (b);
+ }
+ p = op->value + pos - ((op->flag & OPP_QUOTED) ? 1 : 0);
+- copy_from_user (p, buf, count);
++ if (copy_from_user (p, buf, count))
++ return -EFAULT;
+ op->flag |= OPP_DIRTY;
+ for (i = 0; i < count; i++, p++)
+ if (*p == '\n') {
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/251_openpromfs-checks-2.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/251_openpromfs-checks-2.diff
Mon Nov 12 23:30:31 2007
@@ -0,0 +1,51 @@
+From: dann frazier <[EMAIL PROTECTED]>
+Date: Tue, 6 Nov 2007 22:37:56 +0000 (-0700)
+Subject: [PATCH 3/4] [OpenPROM] Prevent overflow of sprintf buffer
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=6ab2cfa4f0a04c11932af701b5437879dd14d8bb
+
+[PATCH 3/4] [OpenPROM] Prevent overflow of sprintf buffer
+
+This patch fixes a few potential overflows, originally submitted to 2.5 by
+Dave Miller:
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=3d69d753xoJv6rAeuQzdAcJK6Njncg
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=3d6aabcc3jBCcQB6wlZ7s3G9WGPYsg
+
+Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c
+index 8aca488..5d2712f 100644
+--- a/fs/openpromfs/inode.c
++++ b/fs/openpromfs/inode.c
+@@ -285,24 +285,27 @@ static ssize_t property_read(struct file *filp, char
*buf,
+ k += count;
+
+ } else if (op->flag & OPP_HEXSTRING) {
+- char buffer[2];
++ char buffer[3];
+
+ if ((k < i - 1) && (k & 1)) {
+- sprintf (buffer, "%02x", *(op->value + (k >> 1)));
++ sprintf (buffer, "%02x",
++ (unsigned char) *(op->value + (k >> 1)) &
0xff);
+ if (put_user(buffer[1], &buf[k++ - pos]))
+ return -EFAULT;
+ count--;
+ }
+
+ for (; (count > 1) && (k < i - 1); k += 2) {
+- sprintf (buffer, "%02x", *(op->value + (k >> 1)));
++ sprintf (buffer, "%02x",
++ (unsigned char) *(op->value + (k >> 1)) &
0xff);
+ if (copy_to_user (buf + k - pos, buffer, 2))
+ return -EFAULT;
+ count -= 2;
+ }
+
+ if (count && (k < i - 1)) {
+- sprintf (buffer, "%02x", *(op->value + (k >> 1)));
++ sprintf (buffer, "%02x",
++ (unsigned char) *(op->value + (k >> 1)) &
0xff);
+ if (put_user(buffer[0], &buf[k++ - pos]))
+ return -EFAULT;
+ count--;
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/252_openpromfs-checks-3.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/252_openpromfs-checks-3.diff
Mon Nov 12 23:30:31 2007
@@ -0,0 +1,37 @@
+From: dann frazier <[EMAIL PROTECTED]>
+Date: Tue, 6 Nov 2007 22:38:31 +0000 (-0700)
+Subject: [PATCH 4/4] [OpenPROM] Prevent unsigned roll-overs in
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=090a4d5713b462e039e2896ac8092769c42ea742
+
+[PATCH 4/4] [OpenPROM] Prevent unsigned roll-overs in
+property_read/property_write
+
+These overflow fixes were originally submitted to 2.5 by Dave Miller:
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=3d69d83b4f8vl6uetYp1vi77lhBJOQ
+
http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=3d6aabcc3jBCcQB6wlZ7s3G9WGPYsg
+
+Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c
+index 5d2712f..1963e66 100644
+--- a/fs/openpromfs/inode.c
++++ b/fs/openpromfs/inode.c
+@@ -97,7 +97,7 @@ static ssize_t property_read(struct file *filp, char *buf,
+ openprom_property *op;
+ char buffer[64];
+
+- if (pos < 0 || pos >= 0xffffff)
++ if (pos < 0 || pos >= 0xffffff || count >= 0xffffff)
+ return -EINVAL;
+ if (!filp->private_data) {
+ node = nodes[(u16)((long)inode->u.generic_ip)].node;
+@@ -331,7 +331,7 @@ static ssize_t property_write(struct file *filp, const
char *buf,
+ void *b;
+ openprom_property *op;
+
+- if (pos < 0 || pos >= 0xffffff)
++ if (pos < 0 || pos >= 0xffffff || count >= 0xffffff)
+ return -EINVAL;
+ if (!filp->private_data) {
+ i = property_read (filp, NULL, 0, 0);
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Mon Nov 12 23:30:31 2007
@@ -8,3 +8,7 @@
+ 246_dn_fib-out-of-bounds.diff
+ 247_reset-pdeathsig-on-suid.diff
+ 248_random-reseed-sizeof-fix.diff
++ 249_openpromfs-signedness-bug.diff
++ 250_openpromfs-checks-1.diff
++ 251_openpromfs-checks-2.diff
++ 252_openpromfs-checks-3.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
