Author: dannf Date: Thu Feb 14 03:03:50 2008 New Revision: 10537 Log: * reset-pdeathsig-on-suid.dpatch * amd64-zero-extend-32bit-ptrace.dpatch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. See CVE-2007-4573
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 03:03:50 2008 @@ -13,7 +13,7 @@ * aacraid-ioctl-perm-check.dpatch [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 - * reset-pdeathsig-on-suid.dpatch + * reset-pdeathsig-on-suid.dpatch [SECURITY] Fix potential privilege escalation caused by improper clearing of the child process' pdeath signal. See CVE-2007-3848 @@ -53,8 +53,11 @@ [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree which could be used to trigger a BUG_ON() call in exit_mmap. See CVE-2007-4133 + * amd64-zero-extend-32bit-ptrace.dpatch + [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. + See CVE-2007-4573 - -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 15:18:17 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 19:59:45 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch Thu Feb 14 03:03:50 2008 @@ -0,0 +1,88 @@ +From: Andi Kleen <[EMAIL PROTECTED]> +Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200) +Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path. +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567 + +x86_64: Zero extend all registers after ptrace in 32bit entry path. + +Strictly it's only needed for eax. + +It actually does a little more than strictly needed -- the other registers +are already zero extended. + +Also remove the now unnecessary and non functional compat task check +in ptrace. + +This is CVE-2007-4573 + +Found by Wojciech Purczynski + +Signed-off-by: Andi Kleen <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Adjusted to apply to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S +--- kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S 2007-05-26 02:54:38.000000000 -0600 ++++ kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S 2008-02-13 19:50:46.000000000 -0700 +@@ -35,6 +35,18 @@ + movq %rax,R8(%rsp) + .endm + ++ .macro LOAD_ARGS32 offset ++ movl \offset(%rsp),%r11d ++ movl \offset+8(%rsp),%r10d ++ movl \offset+16(%rsp),%r9d ++ movl \offset+24(%rsp),%r8d ++ movl \offset+40(%rsp),%ecx ++ movl \offset+48(%rsp),%edx ++ movl \offset+56(%rsp),%esi ++ movl \offset+64(%rsp),%edi ++ movl \offset+72(%rsp),%eax ++ .endm ++ + /* + * 32bit SYSENTER instruction entry. + * +@@ -107,7 +119,7 @@ sysenter_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl %ebp, %ebp + /* no need to do an access_ok check here because rbp has been +@@ -188,7 +200,7 @@ cstar_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl RSP-ARGOFFSET(%rsp), %r8d + /* no need to do an access_ok check here because r8 has been +@@ -252,7 +264,7 @@ ia32_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + jmp ia32_do_syscall + +diff -urpN kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c +--- kernel-source-2.6.8.orig/arch/x86_64/kernel/ptrace.c 2007-05-26 02:54:39.000000000 -0600 ++++ kernel-source-2.6.8/arch/x86_64/kernel/ptrace.c 2008-02-13 19:42:49.000000000 -0700 +@@ -97,10 +97,6 @@ static int putreg(struct task_struct *ch + { + unsigned long tmp; + +- /* Some code in the 64bit emulation may not be 64bit clean. +- Don't take any chances. */ +- if (test_tsk_thread_flag(child, TIF_IA32)) +- value &= 0xffffffff; + switch (regno) { + case offsetof(struct user_regs_struct,fs): + if (value && (value & 3) != 3) Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 03:03:50 2008 @@ -14,3 +14,4 @@ + prevent-stack-growth-into-hugetlb-region.dpatch + cifs-honor-umask.dpatch + hugetlb-prio_tree-unit-fix.dpatch ++ amd64-zero-extend-32bit-ptrace.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes