Author: dannf
Date: Thu Feb 14 03:03:50 2008
New Revision: 10537
Log:
* reset-pdeathsig-on-suid.dpatch
* amd64-zero-extend-32bit-ptrace.dpatch
[SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
See CVE-2007-4573
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Thu Feb 14 03:03:50 2008
@@ -13,7 +13,7 @@
* aacraid-ioctl-perm-check.dpatch
[SECURITY] Require admin capabilities to issue ioctls to aacraid devices
See CVE-2007-4308
- * reset-pdeathsig-on-suid.dpatch
+ * reset-pdeathsig-on-suid.dpatch
[SECURITY] Fix potential privilege escalation caused by improper
clearing of the child process' pdeath signal.
See CVE-2007-3848
@@ -53,8 +53,11 @@
[SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
which could be used to trigger a BUG_ON() call in exit_mmap.
See CVE-2007-4133
+ * amd64-zero-extend-32bit-ptrace.dpatch
+ [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
+ See CVE-2007-4573
- -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 15:18:17 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 19:59:45 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch
Thu Feb 14 03:03:50 2008
@@ -0,0 +1,88 @@
+From: Andi Kleen <[EMAIL PROTECTED]>
+Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200)
+Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path.
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567
+
+x86_64: Zero extend all registers after ptrace in 32bit entry path.
+
+Strictly it's only needed for eax.
+
+It actually does a little more than strictly needed -- the other registers
+are already zero extended.
+
+Also remove the now unnecessary and non functional compat task check
+in ptrace.
+
+This is CVE-2007-4573
+
+Found by Wojciech Purczynski
+
+Signed-off-by: Andi Kleen <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Adjusted to apply to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S
kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S
+--- kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S 2007-05-26
02:54:38.000000000 -0600
++++ kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S 2008-02-13
19:50:46.000000000 -0700
+@@ -35,6 +35,18 @@
+ movq %rax,R8(%rsp)
+ .endm
+
++ .macro LOAD_ARGS32 offset
++ movl \offset(%rsp),%r11d
++ movl \offset+8(%rsp),%r10d
++ movl \offset+16(%rsp),%r9d
++ movl \offset+24(%rsp),%r8d
++ movl \offset+40(%rsp),%ecx
++ movl \offset+48(%rsp),%edx
++ movl \offset+56(%rsp),%esi
++ movl \offset+64(%rsp),%edi
++ movl \offset+72(%rsp),%eax
++ .endm
++
+ /*
+ * 32bit SYSENTER instruction entry.
+ *
+@@ -107,7 +119,7 @@ sysenter_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ movl %ebp, %ebp
+ /* no need to do an access_ok check here because rbp has been
+@@ -188,7 +200,7 @@ cstar_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ movl RSP-ARGOFFSET(%rsp), %r8d
+ /* no need to do an access_ok check here because r8 has been
+@@ -252,7 +264,7 @@ ia32_tracesys:
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed
it */
++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed
it */
+ RESTORE_REST
+ jmp ia32_do_syscall
+
+diff -urpN kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c
kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c
+--- kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c 2007-05-26
02:54:39.000000000 -0600
++++ kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c 2008-02-13
19:42:49.000000000 -0700
+@@ -97,10 +97,6 @@ static int putreg(struct task_struct *ch
+ {
+ unsigned long tmp;
+
+- /* Some code in the 64bit emulation may not be 64bit clean.
+- Don't take any chances. */
+- if (test_tsk_thread_flag(child, TIF_IA32))
+- value &= 0xffffffff;
+ switch (regno) {
+ case offsetof(struct user_regs_struct,fs):
+ if (value && (value & 3) != 3)
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Thu Feb 14 03:03:50 2008
@@ -14,3 +14,4 @@
+ prevent-stack-growth-into-hugetlb-region.dpatch
+ cifs-honor-umask.dpatch
+ hugetlb-prio_tree-unit-fix.dpatch
++ amd64-zero-extend-32bit-ptrace.dpatch
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
