Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.7.git;a=commitdiff;h=bb2b56b726bbde57c1c14e80af254cedc17f820b
commit bb2b56b726bbde57c1c14e80af254cedc17f820b Author: Miklos Vajna <[EMAIL PROTECTED]> Date: Tue Oct 30 21:58:15 2007 +0100 kernel-2.6.22-7sayshell1-i686 added fixes for CVE-2007-3731 closes #2455 diff --git a/source/base/kernel/29eb51101c02df517ca64ec472d7501127ad1da8.patch b/source/base/kernel/29eb51101c02df517ca64ec472d7501127ad1da8.patch new file mode 100644 index 0000000..f670643 --- /dev/null +++ b/source/base/kernel/29eb51101c02df517ca64ec472d7501127ad1da8.patch @@ -0,0 +1,86 @@ +From: Roland McGrath <[EMAIL PROTECTED]> +Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700) +Subject: Handle bogus %cs selector in single-step instruction decoding +X-Git-Tag: v2.6.23-rc1~492 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8 + +Handle bogus %cs selector in single-step instruction decoding + +The code for LDT segment selectors was not robust in the face of a bogus +selector set in %cs via ptrace before the single-step was done. + +Signed-off-by: Roland McGrath <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +diff --git a/arch/i386/kernel/ptrace.c b/arch/i386/kernel/ptrace.c +index 1c075f5..0c8f00e 100644 +--- a/arch/i386/kernel/ptrace.c ++++ b/arch/i386/kernel/ptrace.c +@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_linear(struct task_struct *child, struct pt_ + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } + return addr; +diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c +index fa6775e..e83cc67 100644 +--- a/arch/x86_64/kernel/ptrace.c ++++ b/arch/x86_64/kernel/ptrace.c +@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(struct task_struct *child, struct pt_regs *r + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } ++ + return addr; + } + diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild index 66bb31e..b092b29 100644 --- a/source/base/kernel/FrugalBuild +++ b/source/base/kernel/FrugalBuild @@ -1,8 +1,10 @@ # Compiling Time: 11.74 SBU # Maintainer: VMiklos <[EMAIL PROTECTED]> -_F_kernel_patches=(aacraid.diff pxa27x.diff CVE-2007-3843.diff) +_F_kernel_patches=(aacraid.diff pxa27x.diff CVE-2007-3843.diff \ + 29eb51101c02df517ca64ec472d7501127ad1da8.patch \ + a10d9a71bafd3a283da240d2868e71346d2aef6f.patch) Finclude kernel # you can safely bump this. on the first bump you MUST rebuild all the external # kernel modules so that they will have >=-styled deps instead of the = ones -pkgrel=6 +pkgrel=7sayshell1 diff --git a/source/base/kernel/a10d9a71bafd3a283da240d2868e71346d2aef6f.patch b/source/base/kernel/a10d9a71bafd3a283da240d2868e71346d2aef6f.patch new file mode 100644 index 0000000..b033800 --- /dev/null +++ b/source/base/kernel/a10d9a71bafd3a283da240d2868e71346d2aef6f.patch @@ -0,0 +1,64 @@ +From: Peter Zijlstra <[EMAIL PROTECTED]> +Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200) +Subject: i386: fixup TRACE_IRQ breakage +X-Git-Tag: v2.6.23-rc1~491 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f + +i386: fixup TRACE_IRQ breakage + +The TRACE_IRQS_ON function in iret_exc: calls a C function without +ensuring that the segments are set properly. Move the trace function and +the enabling of interrupt into the C stub. + +Signed-off-by: Peter Zijlstra <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +diff --git a/arch/i386/kernel/entry.S b/arch/i386/kernel/entry.S +index 32980b8..a714d6b 100644 +--- a/arch/i386/kernel/entry.S ++++ b/arch/i386/kernel/entry.S +@@ -409,8 +409,6 @@ restore_nocheck_notrace: + 1: INTERRUPT_RETURN + .section .fixup,"ax" + iret_exc: +- TRACE_IRQS_ON +- ENABLE_INTERRUPTS(CLBR_NONE) + pushl $0 # no error code + pushl $do_iret_error + jmp error_code +diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c +index 18c1c28..d32fd4b 100644 +--- a/arch/i386/kernel/traps.c ++++ b/arch/i386/kernel/traps.c +@@ -518,10 +518,12 @@ fastcall void do_##name(struct pt_regs * regs, long error_code) \ + do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \ + } + +-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \ ++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \ + fastcall void do_##name(struct pt_regs * regs, long error_code) \ + { \ + siginfo_t info; \ ++ if (irq) \ ++ local_irq_enable(); \ + info.si_signo = signr; \ + info.si_errno = 0; \ + info.si_code = sicode; \ +@@ -561,13 +563,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3) + #endif + DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow) + DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds) +-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip) ++DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0) + DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun) + DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS) + DO_ERROR(11, SIGBUS, "segment not present", segment_not_present) + DO_ERROR(12, SIGBUS, "stack segment", stack_segment) +-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0) +-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0) ++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0) ++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1) + + fastcall void __kprobes do_general_protection(struct pt_regs * regs, + long error_code) diff --git a/source/include/kernel-version.sh b/source/include/kernel-version.sh index 5c9a183..1a6cb47 100644 --- a/source/include/kernel-version.sh +++ b/source/include/kernel-version.sh @@ -18,4 +18,4 @@ # don't touch these! _F_kernelver_ver=2.6.22 _F_kernelver_rel=6 -_F_kernelver_stable=9 +_F_kernelver_stable=10 _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git