diff options
-rw-r--r-- | trunk/2.6.18/00000_README | 31 | ||||
-rw-r--r-- | trunk/2.6.18/30066_fcntl_setlk-close-race.patch | 76 | ||||
-rw-r--r-- | trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch | 26 | ||||
-rw-r--r-- | trunk/2.6.18/30068_hrtimer-prevent-overrun.patch | 38 | ||||
-rw-r--r-- | trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch | 29 | ||||
-rw-r--r-- | trunk/2.6.18/30070_amd64-cs-corruption.patch | 12 | ||||
-rw-r--r-- | trunk/2.6.18/30071_dccp-feature-length-check.patch | 15 | ||||
-rw-r--r-- | trunk/2.6.18/30072_asn1-ber-decoding-checks.patch | 103 |
8 files changed, 330 insertions, 0 deletions
diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README index 576a93b..7ee89f7 100644 --- a/trunk/2.6.18/00000_README +++ b/trunk/2.6.18/00000_README @@ -299,5 +299,36 @@ Patches [SECURITY] Fix a race in the directory notify See CVE-2008-1375 +30066_fcntl_setlk-close-race.patch + [SECURITY] Fix an SMP race to prevent reordering of flock updates + and accesses to the descriptor table on close(). + See CVE-2008-1669 + +30067_sit-missing-kfree_skb-on-pskb_may_pull.patch + [SECURITY] Fix remotely-triggerable memory leak in the Simple + Internet Transition (SIT) code used for IPv6 over IPv4 tunnels + See CVE-2008-2136 + +30068_hrtimer-prevent-overrun.patch +30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch + [SECURITY] Fix potential infinite loop in hrtimer_forward on + 64-bit systems + See CVE-2007-6712 + +30070_amd64-cs-corruption.patch + [SECURITY] Fix local ptrace denial of service for amd64 flavor + kernels, bug #480390 + See CVE-2008-1615 + +30071_dccp-feature-length-check.patch + [SECURITY] Validate feature length to avoid heap overflow + See CVE-2008-2358 + +30072_asn1-ber-decoding-checks.patch + [SECURITY] Validate lengths in ASN.1 decoding code to avoid + heap overflow + See CVE-2008-1673 + + 50009_gentooify-tls-warning.patch Change tls warning instructions to apply directly to Gentoo. diff --git a/trunk/2.6.18/30066_fcntl_setlk-close-race.patch b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch new file mode 100644 index 0000000..9292f22 --- /dev/null +++ b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch @@ -0,0 +1,76 @@ +commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 +Author: Al Viro <viro@zeniv.linux.org.uk> +Date: Tue May 6 13:58:34 2008 -0400 + + [PATCH] fix SMP ordering hole in fcntl_setlk() + + fcntl_setlk()/close() race prevention has a subtle hole - we need to + make sure that if we *do* have an fcntl/close race on SMP box, the + access to descriptor table and inode->i_flock won't get reordered. + + As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs. + STORE descriptor table entry, LOAD inode->i_flock with not a single + lock in common on both sides. We do have BKL around the first STORE, + but check in locks_remove_posix() is outside of BKL and for a good + reason - we don't want BKL on common path of close(2). + + Solution is to hold ->file_lock around fcheck() in there; that orders + us wrt removal from descriptor table that preceded locks_remove_posix() + on close path and we either come first (in which case eviction will be + handled by the close side) or we'll see the effect of close and do + eviction ourselves. Note that even though it's read-only access, + we do need ->file_lock here - rcu_read_lock() won't be enough to + order the things. + + Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> + +Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@hp.com> + +diff -urpN linux-source-2.6.18.orig/fs/locks.c linux-source-2.6.18/fs/locks.c +--- linux-source-2.6.18.orig/fs/locks.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/locks.c 2008-05-06 17:02:29.000000000 -0600 +@@ -1680,6 +1680,7 @@ int fcntl_setlk(unsigned int fd, struct + struct file_lock *file_lock = locks_alloc_lock(); + struct flock flock; + struct inode *inode; ++ struct file *f; + int error; + + if (file_lock == NULL) +@@ -1754,7 +1755,15 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) { ++ /* ++ * we need that spin_lock here - it prevents reordering between ++ * update of inode->i_flock and check for it done in close(). ++ * rcu_read_lock() wouldn't do. ++ */ ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (!error && f != filp && flock.l_type != F_UNLCK) { + flock.l_type = F_UNLCK; + goto again; + } +@@ -1823,6 +1832,7 @@ int fcntl_setlk64(unsigned int fd, struc + struct file_lock *file_lock = locks_alloc_lock(); + struct flock64 flock; + struct inode *inode; ++ struct file *f; + int error; + + if (file_lock == NULL) +@@ -1897,7 +1907,10 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) { ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (!error && f != filp && flock.l_type != F_UNLCK) { + flock.l_type = F_UNLCK; + goto again; + } diff --git a/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch new file mode 100644 index 0000000..cffb4b1 --- /dev/null +++ b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch @@ -0,0 +1,26 @@ +commit 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02 +Author: David S. Miller <davem@davemloft.net> +Date: Thu May 8 23:40:26 2008 -0700 + + sit: Add missing kfree_skb() on pskb_may_pull() failure. + + Noticed by Paul Marks <paul@pmarks.net>. + + Signed-off-by: David S. Miller <davem@davemloft.net> + +Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf@debian.org> + +diff -urpN linux-source-2.6.24.orig/net/ipv6/sit.c linux-source-2.6.24/net/ipv6/sit.c +--- linux-source-2.6.24.orig/net/ipv6/sit.c 2008-01-24 15:58:37.000000000 -0700 ++++ linux-source-2.6.24/net/ipv6/sit.c 2008-05-21 00:00:08.000000000 -0600 +@@ -395,9 +395,9 @@ static int ipip6_rcv(struct sk_buff *skb + } + + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); +- kfree_skb(skb); + read_unlock(&ipip6_lock); + out: ++ kfree_skb(skb); + return 0; + } + diff --git a/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch new file mode 100644 index 0000000..d8c622e --- /dev/null +++ b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch @@ -0,0 +1,38 @@ +commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2 +Author: Thomas Gleixner <tglx@linutronix.de> +Date: Fri Mar 16 13:38:20 2007 -0800 + + [PATCH] hrtimer: prevent overrun DoS in hrtimer_forward() + + hrtimer_forward() does not check for the possible overflow of + timer->expires. This can happen on 64 bit machines with large interval + values and results currently in an endless loop in the softirq because the + expiry value becomes negative and therefor the timer is expired all the + time. + + Check for this condition and set the expiry value to the max. expiry time + in the future. The fix should be applied to stable kernel series as well. + + Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + Acked-by: Ingo Molnar <mingo@elte.hu> + Cc: <stable@kernel.org> + Signed-off-by: Andrew Morton <akpm@linux-foundation.org> + Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c +index ec4cb9f..5e7122d 100644 +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -644,6 +644,12 @@ hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval) + orun++; + } + timer->expires = ktime_add(timer->expires, interval); ++ /* ++ * Make sure, that the result did not wrap with a very large ++ * interval. ++ */ ++ if (timer->expires.tv64 < 0) ++ timer->expires = ktime_set(KTIME_SEC_MAX, 0); + + return orun; + } diff --git a/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch new file mode 100644 index 0000000..6bd6bd1 --- /dev/null +++ b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch @@ -0,0 +1,29 @@ +commit 5379058b718ac6354ba99cc74d10c28d632dc28a +Author: Thomas Gleixner <tglx@linutronix.de> +Date: Fri Mar 16 14:15:57 2007 -0800 + + [PATCH] fix MTIME_SEC_MAX on 32-bit + + The maximum seconds value we can handle on 32bit is LONG_MAX. + + Cc: Ingo Molnar <mingo@elte.hu> + Signed-off-by: Andrew Morton <akpm@linux-foundation.org> + Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/ktime.h b/include/linux/ktime.h +index c68c7ac..248305b 100644 +--- a/include/linux/ktime.h ++++ b/include/linux/ktime.h +@@ -57,7 +57,11 @@ typedef union { + } ktime_t; + + #define KTIME_MAX ((s64)~((u64)1 << 63)) +-#define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#if (BITS_PER_LONG == 64) ++# define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#else ++# define KTIME_SEC_MAX LONG_MAX ++#endif + + /* + * ktime_t definitions when using the 64-bit scalar representation: diff --git a/trunk/2.6.18/30070_amd64-cs-corruption.patch b/trunk/2.6.18/30070_amd64-cs-corruption.patch new file mode 100644 index 0000000..da24cd3 --- /dev/null +++ b/trunk/2.6.18/30070_amd64-cs-corruption.patch @@ -0,0 +1,12 @@ +diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S linux-source-2.6.18/arch/x86_64/kernel/entry.S +--- linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S 2008-04-23 21:53:06.000000000 -0600 ++++ linux-source-2.6.18/arch/x86_64/kernel/entry.S 2008-05-08 17:19:58.000000000 -0600 +@@ -776,7 +776,7 @@ paranoid_swapgs\trace: + swapgs + paranoid_restore\trace: + RESTORE_ALL 8 +- iretq ++ jmp iret_label + paranoid_userspace\trace: + GET_THREAD_INFO(%rcx) + movl threadinfo_flags(%rcx),%ebx diff --git a/trunk/2.6.18/30071_dccp-feature-length-check.patch b/trunk/2.6.18/30071_dccp-feature-length-check.patch new file mode 100644 index 0000000..9ceb18c --- /dev/null +++ b/trunk/2.6.18/30071_dccp-feature-length-check.patch @@ -0,0 +1,15 @@ +diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c +--- linux-source-2.6.18.orig/net/dccp/feat.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/dccp/feat.c 2008-06-05 19:57:08.000000000 -0600 +@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc + + dccp_pr_debug("feat change type=%d feat=%d\n", type, feature); + ++ if (len > 3) { ++ if (net_ratelimit()) ++ printk("%s: invalid length %d\n", __func__, len); ++ return -EINVAL; ++ } + /* XXX sanity check feat change request */ + + /* check if that feature is already being negotiated */ diff --git a/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch new file mode 100644 index 0000000..2b512fe --- /dev/null +++ b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch @@ -0,0 +1,103 @@ +From: Chris Wright <chrisw@sous-sol.org> +Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700) +Subject: asn1: additional sanity checking during BER decoding +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ddb2c43594f22843e9f3153da151deaba1a834c5 + +asn1: additional sanity checking during BER decoding + +- Don't trust a length which is greater than the working buffer. + An invalid length could cause overflow when calculating buffer size + for decoding oid. + +- An oid length of zero is invalid and allows for an off-by-one error when + decoding oid because the first subid actually encodes first 2 subids. + +- A primitive encoding may not have an indefinite length. + +Thanks to Wei Wang from McAfee for report. + +Cc: Steven French <sfrench@us.ibm.com> +Cc: stable@kernel.org +Acked-by: Patrick McHardy <kaber@trash.net> +Signed-off-by: Chris Wright <chrisw@sous-sol.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org> + +diff -urpN linux-source-2.6.18.orig/fs/cifs/asn1.c linux-source-2.6.18/fs/cifs/asn1.c +--- linux-source-2.6.18.orig/fs/cifs/asn1.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/cifs/asn1.c 2008-06-05 21:52:32.000000000 -0600 +@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx, + } + } + } ++ ++ /* don't trust len bigger than ctx buffer */ ++ if (*len > ctx->end - ctx->pointer) ++ return 0; ++ + return 1; + } + +@@ -199,6 +204,10 @@ asn1_header_decode(struct asn1_ctx *ctx, + if (!asn1_length_decode(ctx, &def, &len)) + return 0; + ++ /* primitive shall be definite, indefinite shall be constructed */ ++ if (*con == ASN1_PRI && !def) ++ return 0; ++ + if (def) + *eoc = ctx->pointer + len; + else +@@ -385,6 +394,11 @@ asn1_oid_decode(struct asn1_ctx *ctx, + unsigned long *optr; + + size = eoc - ctx->pointer + 1; ++ ++ /* first subid actually encodes first two subids */ ++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) ++ return 0; ++ + *oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC); + if (*oid == NULL) { + return 0; +diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c +--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c 2008-06-05 21:53:29.000000000 -0600 +@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode( + } + } + } ++ ++ /* don't trust len bigger than ctx buffer */ ++ if (*len > ctx->end - ctx->pointer) ++ return 0; ++ + return 1; + } + +@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode( + if (!asn1_length_decode(ctx, &def, &len)) + return 0; + ++ /* primitive shall be definite, indefinite shall be constructed */ ++ if (*con == ASN1_PRI && !def) ++ return 0; ++ + if (def) + *eoc = ctx->pointer + len; + else +@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(str + unsigned long *optr; + + size = eoc - ctx->pointer + 1; ++ ++ /* first subid actually encodes first two subids */ ++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) ++ return 0; ++ + *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); + if (*oid == NULL) { + if (net_ratelimit()) |