Author: qboosh Date: Mon Aug 28 14:15:02 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- updated from 2.4.33.2
---- Files affected:
SOURCES:
linux-2.4-update.patch (1.1 -> 1.2)
---- Diffs:
================================================================
Index: SOURCES/linux-2.4-update.patch
diff -u SOURCES/linux-2.4-update.patch:1.1 SOURCES/linux-2.4-update.patch:1.2
--- SOURCES/linux-2.4-update.patch:1.1 Mon Aug 21 11:56:18 2006
+++ SOURCES/linux-2.4-update.patch Mon Aug 28 16:14:57 2006
@@ -1,4 +1,16 @@
+Summary of changes from v2.4.33.1 to v2.4.33.2
+============================================
+
+Ernie Petrides:
+ binfmt_elf.c : fix checks for bad address
+
+Willy Tarreau:
+ Revert "export memchr() which is used by smbfs and lp driver."
+ [SPARC] export memchr() which is used by smbfs and lp driver.
+ [SCTP] Local privilege elevation - CVE-2006-3745
+ Change VERSION to 2.4.33.2
+
Summary of changes from v2.4.33 to v2.4.33.1
============================================
@@ -16,7 +28,7 @@
Change VERSION to 2.4.33.1
#diff --git a/Makefile b/Makefile
-#index fd6884d..6ef832b 100644
+#index 34125f6..340a66a 100644
#--- a/Makefile
#+++ b/Makefile
#@@ -1,7 +1,7 @@
@@ -24,7 +36,7 @@
# PATCHLEVEL = 4
# SUBLEVEL = 33
#-EXTRAVERSION =
-#+EXTRAVERSION = .1
+#+EXTRAVERSION = .2
#
# KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
#
@@ -41,6 +53,30 @@
mtspr SPRN_HID0,r0
mfspr r0,SPRN_HID0
mfspr r0,SPRN_HID0
+#diff --git a/arch/sparc/kernel/sparc_ksyms.c b/arch/sparc/kernel/sparc_ksyms.c
+#index 1c08204..f5058fe 100644
+#--- a/arch/sparc/kernel/sparc_ksyms.c
+#+++ b/arch/sparc/kernel/sparc_ksyms.c
+#@@ -297,6 +297,7 @@ EXPORT_SYMBOL_NOVERS(memcmp);
+# EXPORT_SYMBOL_NOVERS(memcpy);
+# EXPORT_SYMBOL_NOVERS(memset);
+# EXPORT_SYMBOL_NOVERS(memmove);
+#+EXPORT_SYMBOL_NOVERS(memchr);
+# EXPORT_SYMBOL_NOVERS(__ashrdi3);
+# EXPORT_SYMBOL_NOVERS(__ashldi3);
+# EXPORT_SYMBOL_NOVERS(__lshrdi3);
+#diff --git a/arch/sparc64/kernel/sparc64_ksyms.c
b/arch/sparc64/kernel/sparc64_ksyms.c
+#index 0f1f31f..40accab 100644
+#--- a/arch/sparc64/kernel/sparc64_ksyms.c
+#+++ b/arch/sparc64/kernel/sparc64_ksyms.c
+#@@ -359,6 +359,7 @@ EXPORT_SYMBOL_NOVERS(__ret_efault);
+# /* No version information on these, as gcc produces such symbols. */
+# EXPORT_SYMBOL_NOVERS(memcmp);
+# EXPORT_SYMBOL_NOVERS(memcpy);
+#+EXPORT_SYMBOL_NOVERS(memchr);
+# EXPORT_SYMBOL_NOVERS(memset);
+# EXPORT_SYMBOL_NOVERS(memmove);
+#
diff --git a/drivers/mtd/devices/blkmtd.c b/drivers/mtd/devices/blkmtd.c
index f4280a1..9399d4e 100644
--- a/drivers/mtd/devices/blkmtd.c
@@ -66,6 +102,67 @@
vma->vm_private_data = sfp;
vma->vm_ops = &sg_mmap_vm_ops;
return 0;
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index b0ad905..32c8ec6 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -77,7 +77,7 @@ static struct linux_binfmt elf_format =
+ NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump,
ELF_EXEC_PAGESIZE
+ };
+
+-#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)
++#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
+
+ static int set_brk(unsigned long start, unsigned long end)
+ {
+@@ -345,7 +345,7 @@ static unsigned long load_elf_interp(str
+ * <= p_memsize so it is only necessary to check p_memsz.
+ */
+ k = load_addr + eppnt->p_vaddr;
+- if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
++ if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
+ eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
+ error = -ENOMEM;
+ goto out_close;
+@@ -772,7 +772,7 @@ #endif
+ * allowed task size. Note that p_filesz must always be
+ * <= p_memsz so it is only necessary to check p_memsz.
+ */
+- if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
++ if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
+ elf_ppnt->p_memsz > TASK_SIZE ||
+ TASK_SIZE - elf_ppnt->p_memsz < k) {
+ /* set_brk can never work. Avoid overflows. */
+@@ -822,10 +822,13 @@ #endif
+ interpreter,
+ &interp_load_addr);
+ if (BAD_ADDR(elf_entry)) {
+- printk(KERN_ERR "Unable to load interpreter %.128s\n",
+- elf_interpreter);
++ // FIXME - ratelimit this before re-enabling
++ // printk(KERN_ERR "Unable to load interpreter
%.128s\n",
++ // elf_interpreter);
++
+ force_sig(SIGSEGV, current);
+- retval = IS_ERR((void *)elf_entry) ? PTR_ERR((void
*)elf_entry) : -ENOEXEC;
++ retval = IS_ERR((void *)elf_entry) ?
++ (int)elf_entry : -EINVAL;
+ goto out_free_dentry;
+ }
+ reloc_func_desc = interp_load_addr;
+@@ -833,6 +836,12 @@ #endif
+ allow_write_access(interpreter);
+ fput(interpreter);
+ kfree(elf_interpreter);
++ } else {
++ if (BAD_ADDR(elf_entry)) {
++ force_sig(SIGSEGV, current);
++ retval = -EINVAL;
++ goto out_free_dentry;
++ }
+ }
+
+ kfree(elf_phdata);
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 48ab5af..30e03c2 100644
--- a/fs/nfs/dir.c
@@ -82,18 +179,44 @@
goto out;
if (inode)
inode->i_nlink--;
-#diff --git a/kernel/ksyms.c b/kernel/ksyms.c
-#index d1e66c7..73ad3e9 100644
-#--- a/kernel/ksyms.c
-#+++ b/kernel/ksyms.c
-#@@ -579,6 +579,7 @@ EXPORT_SYMBOL(get_write_access);
-# EXPORT_SYMBOL(strnicmp);
-# EXPORT_SYMBOL(strspn);
-# EXPORT_SYMBOL(strsep);
-#+EXPORT_SYMBOL(memchr);
-#
-# #ifdef CONFIG_CRC32
-# EXPORT_SYMBOL(crc32_le);
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
+index 0e01fef..28d25a3 100644
+--- a/include/net/sctp/sctp.h
++++ b/include/net/sctp/sctp.h
+@@ -410,19 +410,6 @@ static inline int sctp_list_single_entry
+ return ((head->next != head) && (head->next == head->prev));
+ }
+
+-/* Calculate the size (in bytes) occupied by the data of an iovec. */
+-static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
+-{
+- size_t retval = 0;
+-
+- for (; iovlen > 0; --iovlen) {
+- retval += iov->iov_len;
+- iov++;
+- }
+-
+- return retval;
+-}
+-
+ /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
+ static inline __s32 sctp_jitter(__u32 rto)
+ {
+diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
+index 5576db5..9052ddd 100644
+--- a/include/net/sctp/sm.h
++++ b/include/net/sctp/sm.h
+@@ -221,8 +221,7 @@ struct sctp_chunk *sctp_make_abort_no_da
+ const struct sctp_chunk *,
+ __u32 tsn);
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
+- const struct sctp_chunk *,
+- const struct msghdr *);
++ const struct msghdr *, size_t msg_len);
+ struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *,
+ const struct sctp_chunk *,
+ const __u8 *,
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 1465093..75cce3f 100644
--- a/net/core/pktgen.c
@@ -107,3 +230,126 @@
if (info->nfrags <= 0) {
pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 556dee6..08fe461 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -798,38 +798,26 @@ no_mem:
+
+ /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error. */
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
+- const struct sctp_chunk *chunk,
+- const struct msghdr *msg)
++ const struct msghdr *msg,
++ size_t paylen)
+ {
+ struct sctp_chunk *retval;
+- void *payload = NULL, *payoff;
+- size_t paylen = 0;
+- struct iovec *iov = NULL;
+- int iovlen = 0;
+-
+- if (msg) {
+- iov = msg->msg_iov;
+- iovlen = msg->msg_iovlen;
+- paylen = get_user_iov_size(iov, iovlen);
+- }
++ void *payload = NULL;
++ int err;
+
+- retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen);
++ retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen);
+ if (!retval)
+ goto err_chunk;
+
+ if (paylen) {
+ /* Put the msg_iov together into payload. */
+- payload = kmalloc(paylen, GFP_ATOMIC);
++ payload = kmalloc(paylen, GFP_KERNEL);
+ if (!payload)
+ goto err_payload;
+- payoff = payload;
+
+- for (; iovlen > 0; --iovlen) {
+- if (copy_from_user(payoff, iov->iov_base,iov->iov_len))
+- goto err_copy;
+- payoff += iov->iov_len;
+- iov++;
+- }
++ err = memcpy_fromiovec(payload, msg->msg_iov, paylen);
++ if (err < 0)
++ goto err_copy;
+ }
+
+ sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen);
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 542f375..992043f 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3990,18 +3990,12 @@ sctp_disposition_t sctp_sf_do_9_1_prm_ab
+ * from its upper layer, but retransmits data to the far end
+ * if necessary to fill gaps.
+ */
+- struct msghdr *msg = arg;
+- struct sctp_chunk *abort;
++ struct sctp_chunk *abort = arg;
+ sctp_disposition_t retval;
+
+ retval = SCTP_DISPOSITION_CONSUME;
+
+- /* Generate ABORT chunk to send the peer. */
+- abort = sctp_make_abort_user(asoc, NULL, msg);
+- if (!abort)
+- retval = SCTP_DISPOSITION_NOMEM;
+- else
+- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+
+ /* Even if we can't send the ABORT due to low memory delete the
+ * TCB. This is a departure from our typical NOMEM handling.
+@@ -4123,8 +4117,7 @@ sctp_disposition_t sctp_sf_cookie_wait_p
+ void *arg,
+ sctp_cmd_seq_t *commands)
+ {
+- struct msghdr *msg = arg;
+- struct sctp_chunk *abort;
++ struct sctp_chunk *abort = arg;
+ sctp_disposition_t retval;
+
+ /* Stop T1-init timer */
+@@ -4132,12 +4125,7 @@ sctp_disposition_t sctp_sf_cookie_wait_p
+ SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
+ retval = SCTP_DISPOSITION_CONSUME;
+
+- /* Generate ABORT chunk to send the peer */
+- abort = sctp_make_abort_user(asoc, NULL, msg);
+- if (!abort)
+- retval = SCTP_DISPOSITION_NOMEM;
+- else
+- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_CLOSED));
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 277b19f..6620b87 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1199,8 +1199,16 @@ SCTP_STATIC int sctp_sendmsg(struct sock
+ goto out_unlock;
+ }
+ if (sinfo_flags & MSG_ABORT) {
++ struct sctp_chunk *chunk;
++
++ chunk = sctp_make_abort_user(asoc, msg, msg_len);
++ if (!chunk) {
++ err = -ENOMEM;
++ goto out_unlock;
++ }
++
+ SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc);
+- sctp_primitive_ABORT(asoc, msg);
++ sctp_primitive_ABORT(asoc, chunk);
+ err = 0;
+ goto out_unlock;
+ }
================================================================
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/linux-2.4-update.patch?r1=1.1&r2=1.2&f=u
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
