SOURCES (LINUX_2_6_16): linux-CVE-2007-3740.patch (NEW), linux-CVE...

adamg adamg at pld-linux.org
Sun Nov 4 10:15:32 CET 2007 

Author: adamg                        Date: Sun Nov  4 09:15:32 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6_16
---- Log message:
- new

---- Files affected:
SOURCES:
   linux-CVE-2007-3740.patch (NONE -> 1.1.2.1)  (NEW), linux-CVE-2007-4308.patch (NONE -> 1.1.2.1)  (NEW), linux-CVE-2007-4997.patch (NONE -> 1.1.2.1)  (NEW), linux-CVE-2007-5093.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/linux-CVE-2007-3740.patch
diff -u /dev/null SOURCES/linux-CVE-2007-3740.patch:1.1.2.1
--- /dev/null	Sun Nov  4 10:15:32 2007
+++ SOURCES/linux-CVE-2007-3740.patch	Sun Nov  4 10:15:27 2007
@@ -0,0 +1,82 @@
+From: Steve French <sfrench at us.ibm.com>
+Date: Fri, 2 Nov 2007 02:30:35 +0000 (+0100)
+Subject: CIFS should honour umask (CVE-2007-3740)
+X-Git-Tag: v2.6.16.57-rc1~13
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=da8262844e325cc9361114c55e8507c1fee54941
+
+CIFS should honour umask (CVE-2007-3740)
+
+This patch makes CIFS honour a process' umask like other filesystems.
+Of course the server is still free to munge the permissions if it wants
+to; but the client will send the "right" permissions to begin with.
+
+A few caveats:
+
+1) It only applies to filesystems that have CAP_UNIX (aka support unix
+extensions)
+2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
+after remote creation
+
+When mode to CIFS/NTFS ACL mapping is complete we can do the
+same thing for that case for servers which do not
+support the Unix Extensions.
+
+Signed-off-by: Matt Keenen <matt at opcode-solutions.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+Signed-off-by: Adrian Bunk <bunk at kernel.org>
+---
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 749d6fb..b1bc91c 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -198,7 +198,8 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
+ 		/* If Open reported that we actually created a file
+ 		then we now have to set the mode if possible */
+ 		if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) &&
+-			(oplock & CIFS_CREATE_ACTION))
++			(oplock & CIFS_CREATE_ACTION)) {
++			mode &= ~current->fs->umask;
+ 			if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
+ 					(__u64)current->fsuid,
+@@ -216,7 +217,7 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
+ 					cifs_sb->mnt_cifs_flags & 
+ 						CIFS_MOUNT_MAP_SPECIAL_CHR);
+ 			}
+-		else {
++		} else {
+ 			/* BB implement mode setting via Windows security descriptors */
+ 			/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
+ 			/* could set r/o dos attribute if mode & 0222 == 0 */
+@@ -324,6 +325,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, int mode,
+ 	if(full_path == NULL)
+ 		rc = -ENOMEM;
+ 	else if (pTcon->ses->capabilities & CAP_UNIX) {
++		mode &= ~current->fs->umask;
+ 		if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 			rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path,
+ 				mode,(__u64)current->fsuid,(__u64)current->fsgid,
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index f94b411..e63079d 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -752,7 +752,8 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
+ 		d_instantiate(direntry, newinode);
+ 		if (direntry->d_inode)
+ 			direntry->d_inode->i_nlink = 2;
+-		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX)
++		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) {
++			mode &= ~current->fs->umask;
+ 			if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path,
+ 						    mode,
+@@ -770,7 +771,7 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
+ 						    cifs_sb->mnt_cifs_flags & 
+ 						    CIFS_MOUNT_MAP_SPECIAL_CHR);
+ 			}
+-		else {
++		} else {
+ 			/* BB to be implemented via Windows secrty descriptors
+ 			   eg CIFSSMBWinSetPerms(xid, pTcon, full_path, mode,
+ 						 -1, -1, local_nls); */

================================================================
Index: SOURCES/linux-CVE-2007-4308.patch
diff -u /dev/null SOURCES/linux-CVE-2007-4308.patch:1.1.2.1
--- /dev/null	Sun Nov  4 10:15:32 2007
+++ SOURCES/linux-CVE-2007-4308.patch	Sun Nov  4 10:15:27 2007
@@ -0,0 +1,40 @@
+From: Alan Cox <alan at redhat.com>
+Date: Fri, 2 Nov 2007 02:41:27 +0000 (+0100)
+Subject: aacraid: fix security hole (CVE-2007-4308)
+X-Git-Tag: v2.6.16.57-rc1~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=401ef3d54cde6967c856b8fb362a91f406750767
+
+aacraid: fix security hole (CVE-2007-4308)
+
+On the SCSI layer ioctl path there is no implicit permissions check for
+ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
+however allows all sorts of very admin only things to be done so should
+check.
+
+Signed-off-by: Alan Cox <alan at redhat.com>
+Acked-by: Mark Salyzyn <mark_salyzyn at adaptec.com>
+Signed-off-by: Adrian Bunk <bunk at kernel.org>
+---
+
+diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
+index 2716178..19a4579 100644
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -539,6 +539,8 @@ static int aac_cfg_open(struct inode *inode, struct file *file)
+ static int aac_cfg_ioctl(struct inode *inode,  struct file *file,
+ 		unsigned int cmd, unsigned long arg)
+ {
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
+ 	return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
+ }
+ 
+@@ -592,6 +594,8 @@ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
+ 
+ static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ {
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
+ 	return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
+ }
+ #endif

================================================================
Index: SOURCES/linux-CVE-2007-4997.patch
diff -u /dev/null SOURCES/linux-CVE-2007-4997.patch:1.1.2.1
--- /dev/null	Sun Nov  4 10:15:32 2007
+++ SOURCES/linux-CVE-2007-4997.patch	Sun Nov  4 10:15:27 2007
@@ -0,0 +1,55 @@
+From: John W. Linville <linville at tuxdriver.com>
+Date: Fri, 2 Nov 2007 02:13:03 +0000 (+0100)
+Subject: [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
+X-Git-Tag: v2.6.16.57-rc1~14
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=c515d9db76c3fe82243677ecfbff559d05f9e852
+
+[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
+
+Reported by Chris Evans <scarybeasts at gmail.com>:
+
+> The summary is that an evil 80211 frame can crash out a victim's
+> machine. It only applies to drivers using the 80211 wireless code, and
+> only then to certain drivers (and even then depends on a card's
+> firmware not dropping a dubious packet). I must confess I'm not
+> keeping track of Linux wireless support, and the different protocol
+> stacks etc.
+>
+> Details are as follows:
+>
+> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
+> There are other skb->len checks, but not enough to prevent a subtle
+> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
+> set.
+>
+> This leads to integer underflow and crash here:
+>
+> if (frag != 0)
+>    flen -= hdrlen;
+>
+> (flen is subsequently used as a memcpy length parameter).
+
+How about this?
+
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Adrian Bunk <bunk at kernel.org>
+---
+
+diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
+index 7ac6a71..5bc14e2 100644
+--- a/net/ieee80211/ieee80211_rx.c
++++ b/net/ieee80211/ieee80211_rx.c
+@@ -367,6 +367,12 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
+ 	frag = WLAN_GET_SEQ_FRAG(sc);
+ 	hdrlen = ieee80211_get_hdrlen(fc);
+ 
++	if (skb->len < hdrlen) {
++		printk(KERN_INFO "%s: invalid SKB length %d\n",
++			dev->name, skb->len);
++		goto rx_dropped;
++	}
++
+ 	/* Put this code here so that we avoid duplicating it in all
+ 	 * Rx paths. - Jean II */
+ #ifdef IW_WIRELESS_SPY		/* defined in iw_handler.h */

================================================================
Index: SOURCES/linux-CVE-2007-5093.patch
diff -u /dev/null SOURCES/linux-CVE-2007-5093.patch:1.1.2.1
--- /dev/null	Sun Nov  4 10:15:32 2007
+++ SOURCES/linux-CVE-2007-5093.patch	Sun Nov  4 10:15:27 2007
@@ -0,0 +1,125 @@
+From: Oliver Neukum <oneukum at suse.de>
+Date: Sat, 27 Oct 2007 21:36:46 +0000 (+0200)
+Subject: USB: fix DoS in pwc USB video driver (CVE-2007-5093)
+X-Git-Tag: v2.6.16.57-rc1~16
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=402a199dab7513f1f38fe3a0e0e8dd72a2de83f5
+
+USB: fix DoS in pwc USB video driver (CVE-2007-5093)
+
+The pwc driver has a disconnect method that waits for user space to
+close the device. This opens up an opportunity for a DoS attack,
+blocking the USB subsystem and making khubd's task busy wait in
+kernel space. This patch shifts freeing resources to close if an opened
+device is disconnected.
+
+Adrian Bunk:
+Backported to 2.6.16.
+
+Signed-off-by: Oliver Neukum <oneukum at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: Adrian Bunk <bunk at kernel.org>
+---
+
+diff --git a/drivers/usb/media/pwc/pwc-if.c b/drivers/usb/media/pwc/pwc-if.c
+index 4f9b0dc..8e55391 100644
+--- a/drivers/usb/media/pwc/pwc-if.c
++++ b/drivers/usb/media/pwc/pwc-if.c
+@@ -1100,12 +1100,18 @@ static int pwc_video_open(struct inode *inode, struct file *file)
+ 	return 0;
+ }
+ 
++
++static void pwc_cleanup(struct pwc_device *pdev)
++{
++	video_unregister_device(pdev->vdev);
++}
++
+ /* Note that all cleanup is done in the reverse order as in _open */
+ static int pwc_video_close(struct inode *inode, struct file *file)
+ {
+ 	struct video_device *vdev = file->private_data;
+ 	struct pwc_device *pdev;
+-	int i;
++	int i, hint;
+ 
+ 	Trace(TRACE_OPEN, ">> video_close called(vdev = 0x%p).\n", vdev);
+ 
+@@ -1140,8 +1146,9 @@ static int pwc_video_close(struct inode *inode, struct file *file)
+ 	pwc_isoc_cleanup(pdev);
+ 	pwc_free_buffers(pdev);
+ 
++	lock_kernel();
+ 	/* Turn off LEDS and power down camera, but only when not unplugged */
+-	if (pdev->error_status != EPIPE) {
++	if (!pdev->unplugged) {
+ 		/* Turn LEDs off */
+ 		if (pwc_set_leds(pdev, 0, 0) < 0)
+ 			Info("Failed to set LED on/off time.\n");
+@@ -1150,9 +1157,19 @@ static int pwc_video_close(struct inode *inode, struct file *file)
+ 			if (i < 0)
+ 				Err("Failed to power down camera (%d)\n", i);
+ 		}
++		pdev->vopen = 0;
++		Trace(TRACE_OPEN, "<< video_close()\n");
++	} else {
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
+ 	}
+-	pdev->vopen = 0;
+-	Trace(TRACE_OPEN, "<< video_close()\n");
++	unlock_kernel();
++
+ 	return 0;
+ }
+ 
+@@ -1989,20 +2006,21 @@ static void usb_pwc_disconnect(struct usb_interface *intf)
+ 	/* Alert waiting processes */
+ 	wake_up_interruptible(&pdev->frameq);
+ 	/* Wait until device is closed */
+-	while (pdev->vopen)
+-		schedule();
+-	/* Device is now closed, so we can safely unregister it */
+-	Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
+-	video_unregister_device(pdev->vdev);
+-
+-	/* Free memory (don't set pdev to 0 just yet) */
+-	kfree(pdev);
++	if(pdev->vopen) {
++		pdev->unplugged = 1;
++	} else {
++		/* Device is closed, so we can safely unregister it */
++		Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
+ 
+ disconnect_out:
+-	/* search device_hint[] table if we occupy a slot, by any chance */
+-	for (hint = 0; hint < MAX_DEV_HINTS; hint++)
+-		if (device_hint[hint].pdev == pdev)
+-			device_hint[hint].pdev = NULL;
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
++	}
+ 
+ 	unlock_kernel();
+ }
+diff --git a/drivers/usb/media/pwc/pwc.h b/drivers/usb/media/pwc/pwc.h
+index 6dd76bb..bb888e8 100644
+--- a/drivers/usb/media/pwc/pwc.h
++++ b/drivers/usb/media/pwc/pwc.h
+@@ -149,6 +149,7 @@ struct pwc_device
+    char vsnapshot;		/* snapshot mode */
+    char vsync;			/* used by isoc handler */
+    char vmirror;		/* for ToUCaM series */
++   char unplugged;
+    
+    int cmd_len;
+    unsigned char cmd_buf[13];
================================================================

More information about the pld-cvs-commit mailing list