summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--trunk/2.6.18/00000_README31
-rw-r--r--trunk/2.6.18/30066_fcntl_setlk-close-race.patch76
-rw-r--r--trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch26
-rw-r--r--trunk/2.6.18/30068_hrtimer-prevent-overrun.patch38
-rw-r--r--trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch29
-rw-r--r--trunk/2.6.18/30070_amd64-cs-corruption.patch12
-rw-r--r--trunk/2.6.18/30071_dccp-feature-length-check.patch15
-rw-r--r--trunk/2.6.18/30072_asn1-ber-decoding-checks.patch103
8 files changed, 330 insertions, 0 deletions
diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 576a93b..7ee89f7 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -299,5 +299,36 @@ Patches
[SECURITY] Fix a race in the directory notify
See CVE-2008-1375
+30066_fcntl_setlk-close-race.patch
+ [SECURITY] Fix an SMP race to prevent reordering of flock updates
+ and accesses to the descriptor table on close().
+ See CVE-2008-1669
+
+30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
+ [SECURITY] Fix remotely-triggerable memory leak in the Simple
+ Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
+ See CVE-2008-2136
+
+30068_hrtimer-prevent-overrun.patch
+30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
+ [SECURITY] Fix potential infinite loop in hrtimer_forward on
+ 64-bit systems
+ See CVE-2007-6712
+
+30070_amd64-cs-corruption.patch
+ [SECURITY] Fix local ptrace denial of service for amd64 flavor
+ kernels, bug #480390
+ See CVE-2008-1615
+
+30071_dccp-feature-length-check.patch
+ [SECURITY] Validate feature length to avoid heap overflow
+ See CVE-2008-2358
+
+30072_asn1-ber-decoding-checks.patch
+ [SECURITY] Validate lengths in ASN.1 decoding code to avoid
+ heap overflow
+ See CVE-2008-1673
+
+
50009_gentooify-tls-warning.patch
Change tls warning instructions to apply directly to Gentoo.
diff --git a/trunk/2.6.18/30066_fcntl_setlk-close-race.patch b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch
new file mode 100644
index 0000000..9292f22
--- /dev/null
+++ b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch
@@ -0,0 +1,76 @@
+commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue May 6 13:58:34 2008 -0400
+
+ [PATCH] fix SMP ordering hole in fcntl_setlk()
+
+ fcntl_setlk()/close() race prevention has a subtle hole - we need to
+ make sure that if we *do* have an fcntl/close race on SMP box, the
+ access to descriptor table and inode->i_flock won't get reordered.
+
+ As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
+ STORE descriptor table entry, LOAD inode->i_flock with not a single
+ lock in common on both sides. We do have BKL around the first STORE,
+ but check in locks_remove_posix() is outside of BKL and for a good
+ reason - we don't want BKL on common path of close(2).
+
+ Solution is to hold ->file_lock around fcheck() in there; that orders
+ us wrt removal from descriptor table that preceded locks_remove_posix()
+ on close path and we either come first (in which case eviction will be
+ handled by the close side) or we'll see the effect of close and do
+ eviction ourselves. Note that even though it's read-only access,
+ we do need ->file_lock here - rcu_read_lock() won't be enough to
+ order the things.
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/locks.c linux-source-2.6.18/fs/locks.c
+--- linux-source-2.6.18.orig/fs/locks.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/locks.c 2008-05-06 17:02:29.000000000 -0600
+@@ -1680,6 +1680,7 @@ int fcntl_setlk(unsigned int fd, struct
+ struct file_lock *file_lock = locks_alloc_lock();
+ struct flock flock;
+ struct inode *inode;
++ struct file *f;
+ int error;
+
+ if (file_lock == NULL)
+@@ -1754,7 +1755,15 @@ again:
+ * Attempt to detect a close/fcntl race and recover by
+ * releasing the lock that was just acquired.
+ */
+- if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++ /*
++ * we need that spin_lock here - it prevents reordering between
++ * update of inode->i_flock and check for it done in close().
++ * rcu_read_lock() wouldn't do.
++ */
++ spin_lock(&current->files->file_lock);
++ f = fcheck(fd);
++ spin_unlock(&current->files->file_lock);
++ if (!error && f != filp && flock.l_type != F_UNLCK) {
+ flock.l_type = F_UNLCK;
+ goto again;
+ }
+@@ -1823,6 +1832,7 @@ int fcntl_setlk64(unsigned int fd, struc
+ struct file_lock *file_lock = locks_alloc_lock();
+ struct flock64 flock;
+ struct inode *inode;
++ struct file *f;
+ int error;
+
+ if (file_lock == NULL)
+@@ -1897,7 +1907,10 @@ again:
+ * Attempt to detect a close/fcntl race and recover by
+ * releasing the lock that was just acquired.
+ */
+- if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++ spin_lock(&current->files->file_lock);
++ f = fcheck(fd);
++ spin_unlock(&current->files->file_lock);
++ if (!error && f != filp && flock.l_type != F_UNLCK) {
+ flock.l_type = F_UNLCK;
+ goto again;
+ }
diff --git a/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
new file mode 100644
index 0000000..cffb4b1
--- /dev/null
+++ b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
@@ -0,0 +1,26 @@
+commit 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02
+Author: David S. Miller <davem@davemloft.net>
+Date: Thu May 8 23:40:26 2008 -0700
+
+ sit: Add missing kfree_skb() on pskb_may_pull() failure.
+
+ Noticed by Paul Marks <paul@pmarks.net>.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/ipv6/sit.c linux-source-2.6.24/net/ipv6/sit.c
+--- linux-source-2.6.24.orig/net/ipv6/sit.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/ipv6/sit.c 2008-05-21 00:00:08.000000000 -0600
+@@ -395,9 +395,9 @@ static int ipip6_rcv(struct sk_buff *skb
+ }
+
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+- kfree_skb(skb);
+ read_unlock(&ipip6_lock);
+ out:
++ kfree_skb(skb);
+ return 0;
+ }
+
diff --git a/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch
new file mode 100644
index 0000000..d8c622e
--- /dev/null
+++ b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch
@@ -0,0 +1,38 @@
+commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 16 13:38:20 2007 -0800
+
+ [PATCH] hrtimer: prevent overrun DoS in hrtimer_forward()
+
+ hrtimer_forward() does not check for the possible overflow of
+ timer->expires. This can happen on 64 bit machines with large interval
+ values and results currently in an endless loop in the softirq because the
+ expiry value becomes negative and therefor the timer is expired all the
+ time.
+
+ Check for this condition and set the expiry value to the max. expiry time
+ in the future. The fix should be applied to stable kernel series as well.
+
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Acked-by: Ingo Molnar <mingo@elte.hu>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index ec4cb9f..5e7122d 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -644,6 +644,12 @@ hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval)
+ orun++;
+ }
+ timer->expires = ktime_add(timer->expires, interval);
++ /*
++ * Make sure, that the result did not wrap with a very large
++ * interval.
++ */
++ if (timer->expires.tv64 < 0)
++ timer->expires = ktime_set(KTIME_SEC_MAX, 0);
+
+ return orun;
+ }
diff --git a/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
new file mode 100644
index 0000000..6bd6bd1
--- /dev/null
+++ b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
@@ -0,0 +1,29 @@
+commit 5379058b718ac6354ba99cc74d10c28d632dc28a
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 16 14:15:57 2007 -0800
+
+ [PATCH] fix MTIME_SEC_MAX on 32-bit
+
+ The maximum seconds value we can handle on 32bit is LONG_MAX.
+
+ Cc: Ingo Molnar <mingo@elte.hu>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/include/linux/ktime.h b/include/linux/ktime.h
+index c68c7ac..248305b 100644
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -57,7 +57,11 @@ typedef union {
+ } ktime_t;
+
+ #define KTIME_MAX ((s64)~((u64)1 << 63))
+-#define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
++#if (BITS_PER_LONG == 64)
++# define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
++#else
++# define KTIME_SEC_MAX LONG_MAX
++#endif
+
+ /*
+ * ktime_t definitions when using the 64-bit scalar representation:
diff --git a/trunk/2.6.18/30070_amd64-cs-corruption.patch b/trunk/2.6.18/30070_amd64-cs-corruption.patch
new file mode 100644
index 0000000..da24cd3
--- /dev/null
+++ b/trunk/2.6.18/30070_amd64-cs-corruption.patch
@@ -0,0 +1,12 @@
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S linux-source-2.6.18/arch/x86_64/kernel/entry.S
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S 2008-04-23 21:53:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/entry.S 2008-05-08 17:19:58.000000000 -0600
+@@ -776,7 +776,7 @@ paranoid_swapgs\trace:
+ swapgs
+ paranoid_restore\trace:
+ RESTORE_ALL 8
+- iretq
++ jmp iret_label
+ paranoid_userspace\trace:
+ GET_THREAD_INFO(%rcx)
+ movl threadinfo_flags(%rcx),%ebx
diff --git a/trunk/2.6.18/30071_dccp-feature-length-check.patch b/trunk/2.6.18/30071_dccp-feature-length-check.patch
new file mode 100644
index 0000000..9ceb18c
--- /dev/null
+++ b/trunk/2.6.18/30071_dccp-feature-length-check.patch
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c 2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+
+ dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+
++ if (len > 3) {
++ if (net_ratelimit())
++ printk("%s: invalid length %d\n", __func__, len);
++ return -EINVAL;
++ }
+ /* XXX sanity check feat change request */
+
+ /* check if that feature is already being negotiated */
diff --git a/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch
new file mode 100644
index 0000000..2b512fe
--- /dev/null
+++ b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch
@@ -0,0 +1,103 @@
+From: Chris Wright <chrisw@sous-sol.org>
+Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
+Subject: asn1: additional sanity checking during BER decoding
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ddb2c43594f22843e9f3153da151deaba1a834c5
+
+asn1: additional sanity checking during BER decoding
+
+- Don't trust a length which is greater than the working buffer.
+ An invalid length could cause overflow when calculating buffer size
+ for decoding oid.
+
+- An oid length of zero is invalid and allows for an off-by-one error when
+ decoding oid because the first subid actually encodes first 2 subids.
+
+- A primitive encoding may not have an indefinite length.
+
+Thanks to Wei Wang from McAfee for report.
+
+Cc: Steven French <sfrench@us.ibm.com>
+Cc: stable@kernel.org
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/asn1.c linux-source-2.6.18/fs/cifs/asn1.c
+--- linux-source-2.6.18.orig/fs/cifs/asn1.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/asn1.c 2008-06-05 21:52:32.000000000 -0600
+@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
+ }
+ }
+ }
++
++ /* don't trust len bigger than ctx buffer */
++ if (*len > ctx->end - ctx->pointer)
++ return 0;
++
+ return 1;
+ }
+
+@@ -199,6 +204,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
+ if (!asn1_length_decode(ctx, &def, &len))
+ return 0;
+
++ /* primitive shall be definite, indefinite shall be constructed */
++ if (*con == ASN1_PRI && !def)
++ return 0;
++
+ if (def)
+ *eoc = ctx->pointer + len;
+ else
+@@ -385,6 +394,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
+ unsigned long *optr;
+
+ size = eoc - ctx->pointer + 1;
++
++ /* first subid actually encodes first two subids */
++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++ return 0;
++
+ *oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
+ if (*oid == NULL) {
+ return 0;
+diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c
+--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c 2008-06-05 21:53:29.000000000 -0600
+@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(
+ }
+ }
+ }
++
++ /* don't trust len bigger than ctx buffer */
++ if (*len > ctx->end - ctx->pointer)
++ return 0;
++
+ return 1;
+ }
+
+@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode(
+ if (!asn1_length_decode(ctx, &def, &len))
+ return 0;
+
++ /* primitive shall be definite, indefinite shall be constructed */
++ if (*con == ASN1_PRI && !def)
++ return 0;
++
+ if (def)
+ *eoc = ctx->pointer + len;
+ else
+@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(str
+ unsigned long *optr;
+
+ size = eoc - ctx->pointer + 1;
++
++ /* first subid actually encodes first two subids */
++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++ return 0;
++
+ *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+ if (*oid == NULL) {
+ if (net_ratelimit())