From 2fd03079ac1a1451e96b28fa0ee30169996a989d Mon Sep 17 00:00:00 2001 From: Robert Buchholz Date: Sat, 8 Sep 2007 17:41:26 +0000 Subject: New 2.6.18 security patches for testing svn path=/patches/; revision=41 --- trunk/2.6.18/00000_README | 25 +++ .../30025_ipv4-fib_props-out-of-bounds.patch | 42 +++++ trunk/2.6.18/30027_cpuset_tasks-underflow.patch | 61 +++++++ .../2.6.18/30028_random-bound-check-ordering.patch | 42 +++++ trunk/2.6.18/30029_cifs-fix-sign-settings.patch | 179 +++++++++++++++++++++ trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch | 40 +++++ 6 files changed, 389 insertions(+) create mode 100644 trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch create mode 100644 trunk/2.6.18/30027_cpuset_tasks-underflow.patch create mode 100644 trunk/2.6.18/30028_random-bound-check-ordering.patch create mode 100644 trunk/2.6.18/30029_cifs-fix-sign-settings.patch create mode 100644 trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README index 2cd2f31..905c7e4 100644 --- a/trunk/2.6.18/00000_README +++ b/trunk/2.6.18/00000_README @@ -136,6 +136,31 @@ Patches 30024_drm-i965.patch Dependency for 30022_i965-secure-batchbuffer.patch +30025_ipv4-fib_props-out-of-bounds.patch + [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size + and check for out of bounds condition in index provided by userspace + See CVE-2007-2172 + +30027_cpuset_tasks-underflow.patch + [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow + local attackers to read sensitive kernel memory if the cpuset filesystem + is mounted. + See CVE-2007-2875 + +30028_random-bound-check-ordering.patch + [SECURITY] Fix stack-based buffer overflow in the random number + generator + See CVE-2007-3105 + +30029_cifs-fix-sign-settings.patch + [SECURITY] Fix overriding the server to force signing on caused by + checking the wrong gloal variable. + See CVE-2007-3843 + +30030_aacraid-ioctl-perm-check.patch + [SECURITY] Require admin capabilities to issue ioctls to aacraid devices + See CVE-2007-4308 + 50001_make-install.patch Handle make install in a semi-sane way that plays nice with split domU/dom0 kernels. diff --git a/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch b/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch new file mode 100644 index 0000000..3fb091d --- /dev/null +++ b/trunk/2.6.18/30025_ipv4-fib_props-out-of-bounds.patch @@ -0,0 +1,42 @@ +From: Thomas Graf +Date: Sun, 25 Mar 2007 03:32:54 +0000 (-0700) +Subject: [IPv4] fib: Fix out of bound access of fib_props[] +X-Git-Tag: v2.6.21~241^2~12 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e + +[IPv4] fib: Fix out of bound access of fib_props[] + +Fixes a typo which caused fib_props[] to have the wrong size +and makes sure the value used to index the array which is +provided by userspace via netlink is checked to avoid out of +bound access. + +Signed-off-by: Thomas Graf +Signed-off-by: David S. Miller +--- + +Backported to Debian's 2.6.18 by dann frazier , heavily +based upon Tim Gardner's backport for Ubuntu: + http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=6e87288e83ac08e7154980795622efdafd49c9c8 + +--- linux-source-2.6.18.orig/net/ipv4/fib_semantics.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/ipv4/fib_semantics.c 2007-08-27 22:15:04.678316443 -0600 +@@ -88,7 +88,7 @@ static const struct + { + int error; + u8 scope; +-} fib_props[RTA_MAX + 1] = { ++} fib_props[RTN_MAX + 1] = { + { + .error = 0, + .scope = RT_SCOPE_NOWHERE, +@@ -662,6 +662,9 @@ fib_create_info(const struct rtmsg *r, s + u32 mp_alg = IP_MP_ALG_NONE; + #endif + ++ if (r->rtm_type > RTN_MAX) ++ goto err_inval; ++ + /* Fast check to catch the most weird cases */ + if (fib_props[r->rtm_type].scope > r->rtm_scope) + goto err_inval; diff --git a/trunk/2.6.18/30027_cpuset_tasks-underflow.patch b/trunk/2.6.18/30027_cpuset_tasks-underflow.patch new file mode 100644 index 0000000..254ce0f --- /dev/null +++ b/trunk/2.6.18/30027_cpuset_tasks-underflow.patch @@ -0,0 +1,61 @@ +From: Akinobu Mita +Date: Wed, 9 May 2007 09:33:33 +0000 (-0700) +Subject: use simple_read_from_buffer in kernel/ +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006 + +use simple_read_from_buffer in kernel/ + +Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and +/proc/config.gz. + +Cc: Paul Jackson +Cc: Randy Dunlap +Signed-off-by: Akinobu Mita +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.18 by dann frazier + +diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c +--- linux-source-2.6.18.orig/kernel/configs.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/kernel/configs.c 2007-08-27 22:30:10.774211736 -0600 +@@ -61,18 +61,9 @@ static ssize_t + ikconfig_read_current(struct file *file, char __user *buf, + size_t len, loff_t * offset) + { +- loff_t pos = *offset; +- ssize_t count; +- +- if (pos >= kernel_config_data_size) +- return 0; +- +- count = min(len, (size_t)(kernel_config_data_size - pos)); +- if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count)) +- return -EFAULT; +- +- *offset += count; +- return count; ++ return simple_read_from_buffer(buf, len, offset, ++ kernel_config_data + MAGIC_SIZE, ++ kernel_config_data_size); + } + + static struct file_operations ikconfig_file_ops = { +diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c +--- linux-source-2.6.18.orig/kernel/cpuset.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/kernel/cpuset.c 2007-08-27 22:30:10.778211823 -0600 +@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct + { + struct ctr_struct *ctr = file->private_data; + +- if (*ppos + nbytes > ctr->bufsz) +- nbytes = ctr->bufsz - *ppos; +- if (copy_to_user(buf, ctr->buf + *ppos, nbytes)) +- return -EFAULT; +- *ppos += nbytes; +- return nbytes; ++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz); + } + + static int cpuset_tasks_release(struct inode *unused_inode, struct file *file) diff --git a/trunk/2.6.18/30028_random-bound-check-ordering.patch b/trunk/2.6.18/30028_random-bound-check-ordering.patch new file mode 100644 index 0000000..f2e9ab5 --- /dev/null +++ b/trunk/2.6.18/30028_random-bound-check-ordering.patch @@ -0,0 +1,42 @@ +From: Matt Mackall +Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700) +Subject: random: fix bound check ordering (CVE-2007-3105) +X-Git-Tag: v2.6.23-rc1~259 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd + +random: fix bound check ordering (CVE-2007-3105) + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team ) + +Cc: Theodore Tso +Cc: Willy Tarreau +Signed-off-by: Matt Mackall +Signed-off-by: Chris Wright +Signed-off-by: Linus Torvalds +--- + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 7f52712..397c714 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) + + if (r->pull && r->entropy_count < nbytes * 8 && + r->entropy_count < r->poolinfo->POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, sizeof(tmp))); ++ /* If we're limited, always leave two wakeup worth's BITS */ + int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, sizeof(tmp)); + + DEBUG_ENT("going to reseed %s with %d bits " + "(%d of %d requested)\n", diff --git a/trunk/2.6.18/30029_cifs-fix-sign-settings.patch b/trunk/2.6.18/30029_cifs-fix-sign-settings.patch new file mode 100644 index 0000000..11f8021 --- /dev/null +++ b/trunk/2.6.18/30029_cifs-fix-sign-settings.patch @@ -0,0 +1,179 @@ +From: Steve French +Date: Thu, 28 Jun 2007 18:41:42 +0000 (+0000) +Subject: [CIFS] Fix sign mount option and sign proc config setting +X-Git-Tag: v2.6.23-rc1~478^2~20 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=762e5ab77c803c819e45d054518a98efb70b0f60 + +[CIFS] Fix sign mount option and sign proc config setting + +We were checking the wrong (old) global variable to determine +whether to override server and force signing on the SMB +connection. + +Acked-by: Dave Kleikamp +Signed-off-by: Steve French +--- + +Backported to Debian's 2.6.18 by dann frazier + +diff -urpN linux-source-2.6.18.orig/fs/cifs/cifs_debug.c linux-source-2.6.18/fs/cifs/cifs_debug.c +--- linux-source-2.6.18.orig/fs/cifs/cifs_debug.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/cifs/cifs_debug.c 2007-08-27 23:12:40.666200121 -0600 +@@ -895,90 +895,14 @@ security_flags_write(struct file *file, + } + /* flags look ok - update the global security flags for cifs module */ + extended_security = flags; ++ if (extended_security & CIFSSEC_MUST_SIGN) { ++ /* requiring signing implies signing is allowed */ ++ extended_security |= CIFSSEC_MAY_SIGN; ++ cFYI(1, ("packet signing now required")); ++ } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) { ++ cFYI(1, ("packet signing disabled")); ++ } ++ /* BB should we turn on MAY flags for other MUST options? */ + return count; + } +- +-/* static int +-ntlmv2_enabled_read(char *page, char **start, off_t off, +- int count, int *eof, void *data) +-{ +- int len; +- +- len = sprintf(page, "%d\n", ntlmv2_support); +- +- len -= off; +- *start = page + off; +- +- if (len > count) +- len = count; +- else +- *eof = 1; +- +- if (len < 0) +- len = 0; +- +- return len; +-} +-static int +-ntlmv2_enabled_write(struct file *file, const char __user *buffer, +- unsigned long count, void *data) +-{ +- char c; +- int rc; +- +- rc = get_user(c, buffer); +- if (rc) +- return rc; +- if (c == '0' || c == 'n' || c == 'N') +- ntlmv2_support = 0; +- else if (c == '1' || c == 'y' || c == 'Y') +- ntlmv2_support = 1; +- else if (c == '2') +- ntlmv2_support = 2; +- +- return count; +-} +- +-static int +-packet_signing_enabled_read(char *page, char **start, off_t off, +- int count, int *eof, void *data) +-{ +- int len; +- +- len = sprintf(page, "%d\n", sign_CIFS_PDUs); +- +- len -= off; +- *start = page + off; +- +- if (len > count) +- len = count; +- else +- *eof = 1; +- +- if (len < 0) +- len = 0; +- +- return len; +-} +-static int +-packet_signing_enabled_write(struct file *file, const char __user *buffer, +- unsigned long count, void *data) +-{ +- char c; +- int rc; +- +- rc = get_user(c, buffer); +- if (rc) +- return rc; +- if (c == '0' || c == 'n' || c == 'N') +- sign_CIFS_PDUs = 0; +- else if (c == '1' || c == 'y' || c == 'Y') +- sign_CIFS_PDUs = 1; +- else if (c == '2') +- sign_CIFS_PDUs = 2; +- +- return count; +-} */ +- +- + #endif +diff -urpN linux-source-2.6.18.orig/fs/cifs/cifssmb.c linux-source-2.6.18/fs/cifs/cifssmb.c +--- linux-source-2.6.18.orig/fs/cifs/cifssmb.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/cifs/cifssmb.c 2007-08-27 23:12:40.678200384 -0600 +@@ -411,11 +411,11 @@ CIFSSMBNegotiate(unsigned int xid, struc + + /* if any of auth flags (ie not sign or seal) are overriden use them */ + if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL))) +- secFlags = ses->overrideSecFlg; ++ secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */ + else /* if override flags set only sign/seal OR them with global auth */ + secFlags = extended_security | ses->overrideSecFlg; + +- cFYI(1,("secFlags 0x%x",secFlags)); ++ cFYI(1, ("secFlags 0x%x", secFlags)); + + pSMB->hdr.Mid = GetNextMid(server); + pSMB->hdr.Flags2 |= SMBFLG2_UNICODE; +@@ -582,22 +582,32 @@ CIFSSMBNegotiate(unsigned int xid, struc + #ifdef CONFIG_CIFS_WEAK_PW_HASH + signing_check: + #endif +- if(sign_CIFS_PDUs == FALSE) { ++ if ((secFlags & CIFSSEC_MAY_SIGN) == 0) { ++ /* MUST_SIGN already includes the MAY_SIGN FLAG ++ so if this is zero it means that signing is disabled */ ++ cFYI(1, ("Signing disabled")); + if(server->secMode & SECMODE_SIGN_REQUIRED) +- cERROR(1,("Server requires " +- "/proc/fs/cifs/PacketSigningEnabled to be on")); ++ cERROR(1, ("Server requires " ++ "/proc/fs/cifs/PacketSigningEnabled " ++ "to be on")); + server->secMode &= + ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED); +- } else if(sign_CIFS_PDUs == 1) { ++ } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) { ++ /* signing required */ ++ cFYI(1, ("Must sign - segFlags 0x%x", secFlags)); ++ if ((server->secMode & ++ (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) { ++ cERROR(1, ++ ("signing required but server lacks support")); ++ } else ++ server->secMode |= SECMODE_SIGN_REQUIRED; ++ } else { ++ /* signing optional ie CIFSSEC_MAY_SIGN */ + if((server->secMode & SECMODE_SIGN_REQUIRED) == 0) + server->secMode &= + ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED); +- } else if(sign_CIFS_PDUs == 2) { +- if((server->secMode & +- (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) { +- cERROR(1,("signing required but server lacks support")); +- } + } ++ + neg_err_exit: + cifs_buf_release(pSMB); + diff --git a/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch b/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch new file mode 100644 index 0000000..cb2a516 --- /dev/null +++ b/trunk/2.6.18/30030_aacraid-ioctl-perm-check.patch @@ -0,0 +1,40 @@ +From: Alan Cox +Date: Mon, 23 Jul 2007 13:51:05 +0000 (+0100) +Subject: [SCSI] aacraid: Fix security hole +X-Git-Tag: v2.6.23-rc2~164^2~24 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f + +[SCSI] aacraid: Fix security hole + +On the SCSI layer ioctl path there is no implicit permissions check for +ioctls (and indeed other drivers implement unprivileged ioctls). aacraid +however allows all sorts of very admin only things to be done so should +check. + +Signed-off-by: Alan Cox +Acked-by: "Salyzyn, Mark" +Signed-off-by: James Bottomley +--- + +Adjusted to apply to Debian's 2.6.18 by dann frazier + +--- linux-source-2.6.18.orig/drivers/scsi/aacraid/linit.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/drivers/scsi/aacraid/linit.c 2007-08-27 23:27:41.805986591 -0600 +@@ -536,6 +536,8 @@ static int aac_cfg_open(struct inode *in + static int aac_cfg_ioctl(struct inode *inode, struct file *file, + unsigned int cmd, unsigned long arg) + { ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_do_ioctl(file->private_data, cmd, (void __user *)arg); + } + +@@ -589,6 +591,8 @@ static int aac_compat_ioctl(struct scsi_ + + static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg) + { ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg); + } + #endif -- cgit v1.2.3-65-gdbad