Author: dannf
Date: Sun Feb 17 18:30:06 2008
New Revision: 10562
Log:
* 264_mmap-VM_DONTEXPAND.diff
[SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
a fault handler but do not bounds check the offset argument
See CVE-2008-0007
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Sun Feb 17 18:30:06 2008
@@ -78,8 +78,12 @@
If userspace still has the device open it can result, the driver would
wait for the device to close, blocking the USB subsystem.
See CVE-2007-5093
+ * 264_mmap-VM_DONTEXPAND.diff
+ [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
+ a fault handler but do not bounds check the offset argument
+ See CVE-2008-0007
- -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 14:56:01 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 14:59:56 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff
Sun Feb 17 18:30:06 2008
@@ -0,0 +1,101 @@
+commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf
+Author: Willy Tarreau <[EMAIL PROTECTED]>
+Date: Sun Feb 3 18:32:33 2008 +0100
+
+ security: insufficient range checks in certain fault handlers
+
+ This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers.
+ This deals with security vulnerability CVE-2008-0007.
+
+ Drivers that register a ->nopage handler, that does not range-check its
+ offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the
+ offset is within bounds.
+
+ Signed-off-by: Willy Tarreau <[EMAIL PROTECTED]>
+
+diff --git a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c
+index f25aaa5..ef50f2d 100644
+--- a/drivers/char/drm-4.0/vm.c
++++ b/drivers/char/drm-4.0/vm.c
+@@ -256,6 +256,7 @@ int drm_mmap_dma(struct file *filp, struct vm_area_struct
*vma)
+
+ vma->vm_ops = &drm_vm_dma_ops;
+ vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
++ vma->vm_flags |= VM_DONTEXPAND;
+
+ #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
+ /* In Linux 2.2.3 and above, this is
+@@ -358,6 +359,7 @@ int drm_mmap(struct file *filp, struct vm_area_struct *vma)
+ return -EINVAL; /* This should never happen. */
+ }
+ vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
++ vma->vm_flags |= VM_DONTEXPAND;
+
+ #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
+ /* In Linux 2.2.3 and above, this is
+diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h
+index 4eadbf0..337a1a8 100644
+--- a/drivers/char/drm/drm_vm.h
++++ b/drivers/char/drm/drm_vm.h
+@@ -342,6 +342,7 @@ int DRM(mmap_dma)(struct file *filp, struct vm_area_struct
*vma)
+
+ vma->vm_ops = &DRM(vm_dma_ops);
+ vma->vm_flags |= VM_RESERVED; /* Don't swap */
++ vma->vm_flags |= VM_DONTEXPAND;
+ vma->vm_file = filp; /* Needed for drm_vm_open() */
+ DRM(vm_open)(vma);
+ return 0;
+@@ -475,6 +476,7 @@ int DRM(mmap)(struct file *filp, struct vm_area_struct
*vma)
+ return -EINVAL; /* This should never happen. */
+ }
+ vma->vm_flags |= VM_RESERVED; /* Don't swap */
++ vma->vm_flags |= VM_DONTEXPAND;
+
+ vma->vm_file = filp; /* Needed for drm_vm_open() */
+ DRM(vm_open)(vma);
+diff --git a/drivers/sound/via82cxxx_audio.c b/drivers/sound/via82cxxx_audio.c
+index 864f164..db5da3c 100644
+--- a/drivers/sound/via82cxxx_audio.c
++++ b/drivers/sound/via82cxxx_audio.c
+@@ -2111,6 +2111,7 @@ static struct page * via_mm_nopage (struct
vm_area_struct * vma,
+ {
+ struct via_info *card = vma->vm_private_data;
+ struct via_channel *chan = &card->ch_out;
++ unsigned long max_bufs;
+ struct page *dmapage;
+ unsigned long pgoff;
+ int rd, wr;
+@@ -2135,14 +2136,11 @@ static struct page * via_mm_nopage (struct
vm_area_struct * vma,
+ rd = card->ch_in.is_mapped;
+ wr = card->ch_out.is_mapped;
+
+-#ifndef VIA_NDEBUG
+- {
+- unsigned long max_bufs = chan->frag_number;
+- if (rd && wr) max_bufs *= 2;
+- /* via_dsp_mmap() should ensure this */
+- assert (pgoff < max_bufs);
+- }
+-#endif
++ max_bufs = chan->frag_number;
++ if (rd && wr)
++ max_bufs *= 2;
++ if (pgoff >= max_bufs)
++ return NOPAGE_SIGBUS;
+
+ /* if full-duplex (read+write) and we have two sets of bufs,
+ * then the playback buffers come first, sez soundcard.c */
+diff --git a/fs/ncpfs/mmap.c b/fs/ncpfs/mmap.c
+index 7d9bc34..dd8cb1a 100644
+--- a/fs/ncpfs/mmap.c
++++ b/fs/ncpfs/mmap.c
+@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage(struct
vm_area_struct *area,
+ pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT);
+
+ count = PAGE_SIZE;
+- if (address + PAGE_SIZE > area->vm_end) {
+- count = area->vm_end - address;
+- }
+ /* what we can read in one go */
+ bufsize = NCP_SERVER(inode)->buffer_size;
+
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Sun Feb 17 18:30:06 2008
@@ -23,3 +23,4 @@
+ 261_listxattr-mem-corruption.diff
+ 262_aacraid-ioctl-perm-check.diff
+ 263_usb-pwc-disconnect-block.diff
++ 264_mmap-VM_DONTEXPAND.diff
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
