SOURCES: linux-2.4-update.patch - updated from 2.4.33.2

qboosh qboosh at pld-linux.org
Mon Aug 28 16:15:03 CEST 2006


Author: qboosh                       Date: Mon Aug 28 14:15:02 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- updated from 2.4.33.2

---- Files affected:
SOURCES:
   linux-2.4-update.patch (1.1 -> 1.2) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.4-update.patch
diff -u SOURCES/linux-2.4-update.patch:1.1 SOURCES/linux-2.4-update.patch:1.2
--- SOURCES/linux-2.4-update.patch:1.1	Mon Aug 21 11:56:18 2006
+++ SOURCES/linux-2.4-update.patch	Mon Aug 28 16:14:57 2006
@@ -1,4 +1,16 @@
 
+Summary of changes from v2.4.33.1 to v2.4.33.2
+============================================
+
+Ernie Petrides:
+      binfmt_elf.c : fix checks for bad address
+
+Willy Tarreau:
+      Revert "export memchr() which is used by smbfs and lp driver."
+      [SPARC] export memchr() which is used by smbfs and lp driver.
+      [SCTP] Local privilege elevation - CVE-2006-3745
+      Change VERSION to 2.4.33.2
+
 Summary of changes from v2.4.33 to v2.4.33.1
 ============================================
 
@@ -16,7 +28,7 @@
       Change VERSION to 2.4.33.1
 
 #diff --git a/Makefile b/Makefile
-#index fd6884d..6ef832b 100644
+#index 34125f6..340a66a 100644
 #--- a/Makefile
 #+++ b/Makefile
 #@@ -1,7 +1,7 @@
@@ -24,7 +36,7 @@
 # PATCHLEVEL = 4
 # SUBLEVEL = 33
 #-EXTRAVERSION =
-#+EXTRAVERSION = .1
+#+EXTRAVERSION = .2
 # 
 # KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
 # 
@@ -41,6 +53,30 @@
  	mtspr	SPRN_HID0,r0
  	mfspr	r0,SPRN_HID0
  	mfspr	r0,SPRN_HID0
+#diff --git a/arch/sparc/kernel/sparc_ksyms.c b/arch/sparc/kernel/sparc_ksyms.c
+#index 1c08204..f5058fe 100644
+#--- a/arch/sparc/kernel/sparc_ksyms.c
+#+++ b/arch/sparc/kernel/sparc_ksyms.c
+#@@ -297,6 +297,7 @@ EXPORT_SYMBOL_NOVERS(memcmp);
+# EXPORT_SYMBOL_NOVERS(memcpy);
+# EXPORT_SYMBOL_NOVERS(memset);
+# EXPORT_SYMBOL_NOVERS(memmove);
+#+EXPORT_SYMBOL_NOVERS(memchr);
+# EXPORT_SYMBOL_NOVERS(__ashrdi3);
+# EXPORT_SYMBOL_NOVERS(__ashldi3);
+# EXPORT_SYMBOL_NOVERS(__lshrdi3);
+#diff --git a/arch/sparc64/kernel/sparc64_ksyms.c b/arch/sparc64/kernel/sparc64_ksyms.c
+#index 0f1f31f..40accab 100644
+#--- a/arch/sparc64/kernel/sparc64_ksyms.c
+#+++ b/arch/sparc64/kernel/sparc64_ksyms.c
+#@@ -359,6 +359,7 @@ EXPORT_SYMBOL_NOVERS(__ret_efault);
+# /* No version information on these, as gcc produces such symbols. */
+# EXPORT_SYMBOL_NOVERS(memcmp);
+# EXPORT_SYMBOL_NOVERS(memcpy);
+#+EXPORT_SYMBOL_NOVERS(memchr);
+# EXPORT_SYMBOL_NOVERS(memset);
+# EXPORT_SYMBOL_NOVERS(memmove);
+# 
 diff --git a/drivers/mtd/devices/blkmtd.c b/drivers/mtd/devices/blkmtd.c
 index f4280a1..9399d4e 100644
 --- a/drivers/mtd/devices/blkmtd.c
@@ -66,6 +102,67 @@
      vma->vm_private_data = sfp;
      vma->vm_ops = &sg_mmap_vm_ops;
      return 0;
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index b0ad905..32c8ec6 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -77,7 +77,7 @@ static struct linux_binfmt elf_format = 
+ 	NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
+ };
+ 
+-#define BAD_ADDR(x)	((unsigned long)(x) > TASK_SIZE)
++#define BAD_ADDR(x)	((unsigned long)(x) >= TASK_SIZE)
+ 
+ static int set_brk(unsigned long start, unsigned long end)
+ {
+@@ -345,7 +345,7 @@ static unsigned long load_elf_interp(str
+ 	     * <= p_memsize so it is only necessary to check p_memsz.
+ 	     */
+ 	    k = load_addr + eppnt->p_vaddr;
+-	    if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
++	    if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
+ 		eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
+ 	        error = -ENOMEM;
+ 		goto out_close;
+@@ -772,7 +772,7 @@ #endif
+ 		 * allowed task size. Note that p_filesz must always be
+ 		 * <= p_memsz so it is only necessary to check p_memsz.
+ 		 */
+-		if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
++		if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
+ 		    elf_ppnt->p_memsz > TASK_SIZE ||
+ 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
+ 			/* set_brk can never work.  Avoid overflows.  */
+@@ -822,10 +822,13 @@ #endif
+ 						    interpreter,
+ 						    &interp_load_addr);
+ 		if (BAD_ADDR(elf_entry)) {
+-			printk(KERN_ERR "Unable to load interpreter %.128s\n",
+-				elf_interpreter);
++	     		// FIXME - ratelimit this before re-enabling
++			// printk(KERN_ERR "Unable to load interpreter %.128s\n",
++			//        elf_interpreter);
++
+ 			force_sig(SIGSEGV, current);
+-			retval = IS_ERR((void *)elf_entry) ? PTR_ERR((void *)elf_entry) : -ENOEXEC;
++			retval = IS_ERR((void *)elf_entry) ?
++					(int)elf_entry : -EINVAL;
+ 			goto out_free_dentry;
+ 		}
+ 		reloc_func_desc = interp_load_addr;
+@@ -833,6 +836,12 @@ #endif
+ 		allow_write_access(interpreter);
+ 		fput(interpreter);
+ 		kfree(elf_interpreter);
++	} else {
++		if (BAD_ADDR(elf_entry)) {
++			force_sig(SIGSEGV, current);
++			retval = -EINVAL;
++			goto out_free_dentry;
++		}
+ 	}
+ 
+ 	kfree(elf_phdata);
 diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
 index 48ab5af..30e03c2 100644
 --- a/fs/nfs/dir.c
@@ -82,18 +179,44 @@
  		goto out;
  	if (inode)
  		inode->i_nlink--;
-#diff --git a/kernel/ksyms.c b/kernel/ksyms.c
-#index d1e66c7..73ad3e9 100644
-#--- a/kernel/ksyms.c
-#+++ b/kernel/ksyms.c
-#@@ -579,6 +579,7 @@ EXPORT_SYMBOL(get_write_access);
-# EXPORT_SYMBOL(strnicmp);
-# EXPORT_SYMBOL(strspn);
-# EXPORT_SYMBOL(strsep);
-#+EXPORT_SYMBOL(memchr);
-# 
-# #ifdef CONFIG_CRC32
-# EXPORT_SYMBOL(crc32_le);
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
+index 0e01fef..28d25a3 100644
+--- a/include/net/sctp/sctp.h
++++ b/include/net/sctp/sctp.h
+@@ -410,19 +410,6 @@ static inline int sctp_list_single_entry
+ 	return ((head->next != head) && (head->next == head->prev));
+ }
+ 
+-/* Calculate the size (in bytes) occupied by the data of an iovec.  */
+-static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
+-{
+-	size_t retval = 0;
+-
+-	for (; iovlen > 0; --iovlen) {
+-		retval += iov->iov_len;
+-		iov++;
+-	}
+-
+-	return retval;
+-}
+-
+ /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
+ static inline __s32 sctp_jitter(__u32 rto)
+ {
+diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
+index 5576db5..9052ddd 100644
+--- a/include/net/sctp/sm.h
++++ b/include/net/sctp/sm.h
+@@ -221,8 +221,7 @@ struct sctp_chunk *sctp_make_abort_no_da
+ 				      const struct sctp_chunk *,
+ 				      __u32 tsn);
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
+-				   const struct sctp_chunk *,
+-				   const struct msghdr *);
++					const struct msghdr *, size_t msg_len);
+ struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *,
+ 				   const struct sctp_chunk *,
+ 				   const __u8 *,
 diff --git a/net/core/pktgen.c b/net/core/pktgen.c
 index 1465093..75cce3f 100644
 --- a/net/core/pktgen.c
@@ -107,3 +230,126 @@
  
  	if (info->nfrags <= 0) {
                  pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 556dee6..08fe461 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -798,38 +798,26 @@ no_mem:
+ 
+ /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error.  */
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
+-				   const struct sctp_chunk *chunk,
+-				   const struct msghdr *msg)
++					const struct msghdr *msg,
++					size_t paylen)
+ {
+ 	struct sctp_chunk *retval;
+-	void *payload = NULL, *payoff;
+-	size_t paylen = 0;
+-	struct iovec *iov = NULL;
+-	int iovlen = 0;
+-
+-	if (msg) {
+-		iov = msg->msg_iov;
+-		iovlen = msg->msg_iovlen;
+-		paylen = get_user_iov_size(iov, iovlen);
+-	}
++	void *payload = NULL;
++	int err;
+ 
+-	retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen);
++	retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen);
+ 	if (!retval)
+ 		goto err_chunk;
+ 
+ 	if (paylen) {
+ 		/* Put the msg_iov together into payload.  */
+-		payload = kmalloc(paylen, GFP_ATOMIC);
++		payload = kmalloc(paylen, GFP_KERNEL);
+ 		if (!payload)
+ 			goto err_payload;
+-		payoff = payload;
+ 
+-		for (; iovlen > 0; --iovlen) {
+-			if (copy_from_user(payoff, iov->iov_base,iov->iov_len))
+-				goto err_copy;
+-			payoff += iov->iov_len;
+-			iov++;
+-		}
++		err = memcpy_fromiovec(payload, msg->msg_iov, paylen);
++		if (err < 0)
++			goto err_copy;
+ 	}
+ 
+ 	sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen);
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 542f375..992043f 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3990,18 +3990,12 @@ sctp_disposition_t sctp_sf_do_9_1_prm_ab
+ 	 * from its upper layer, but retransmits data to the far end
+ 	 * if necessary to fill gaps.
+ 	 */
+-	struct msghdr *msg = arg;
+-	struct sctp_chunk *abort;
++	struct sctp_chunk *abort = arg;
+ 	sctp_disposition_t retval;
+ 
+ 	retval = SCTP_DISPOSITION_CONSUME;
+ 
+-	/* Generate ABORT chunk to send the peer.  */
+-	abort = sctp_make_abort_user(asoc, NULL, msg);
+-	if (!abort)
+-		retval = SCTP_DISPOSITION_NOMEM;
+-	else
+-		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ 
+ 	/* Even if we can't send the ABORT due to low memory delete the
+ 	 * TCB.  This is a departure from our typical NOMEM handling.
+@@ -4123,8 +4117,7 @@ sctp_disposition_t sctp_sf_cookie_wait_p
+ 	void *arg,
+ 	sctp_cmd_seq_t *commands)
+ {
+-	struct msghdr *msg = arg;
+-	struct sctp_chunk *abort;
++	struct sctp_chunk *abort = arg;
+ 	sctp_disposition_t retval;
+ 
+ 	/* Stop T1-init timer */
+@@ -4132,12 +4125,7 @@ sctp_disposition_t sctp_sf_cookie_wait_p
+ 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
+ 	retval = SCTP_DISPOSITION_CONSUME;
+ 
+-	/* Generate ABORT chunk to send the peer */
+-	abort = sctp_make_abort_user(asoc, NULL, msg);
+-	if (!abort)
+-		retval = SCTP_DISPOSITION_NOMEM;
+-	else
+-		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ 
+ 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ 			SCTP_STATE(SCTP_STATE_CLOSED));
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 277b19f..6620b87 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1199,8 +1199,16 @@ SCTP_STATIC int sctp_sendmsg(struct sock
+ 			goto out_unlock;
+ 		}
+ 		if (sinfo_flags & MSG_ABORT) {
++			struct sctp_chunk *chunk;
++
++			chunk = sctp_make_abort_user(asoc, msg, msg_len);
++			if (!chunk) {
++				err = -ENOMEM;
++				goto out_unlock;
++			}
++
+ 			SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc);
+-			sctp_primitive_ABORT(asoc, msg);
++			sctp_primitive_ABORT(asoc, chunk);
+ 			err = 0;
+ 			goto out_unlock;
+ 		}
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/linux-2.4-update.patch?r1=1.1&r2=1.2&f=u



More information about the pld-cvs-commit mailing list