Author: lcapitulino
Date: Thu Feb 15 16:48:04 2007
New Revision: 121427
Added:
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
Modified:
packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
Log:
Fix for CVE-2006-4538
Added:
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
==============================================================================
--- (empty file)
+++
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
Thu Feb 15 16:48:04 2007
@@ -0,0 +1,122 @@
+---
+ arch/ia64/kernel/sys_ia64.c | 28 ++++++++++++++++------------
+ include/asm-ia64/mman.h | 8 ++++++++
+ mm/mmap.c | 17 +++++++++++++++--
+ 3 files changed, 39 insertions(+), 14 deletions(-)
+
+--- linux-2.6.12.orig/arch/ia64/kernel/sys_ia64.c
++++ linux-2.6.12/arch/ia64/kernel/sys_ia64.c
+@@ -164,10 +164,25 @@ sys_pipe (void)
+ return retval;
+ }
+
++int ia64_mmap_check(unsigned long addr, unsigned long len,
++ unsigned long flags)
++{
++ unsigned long roff;
++
++ /*
++ * Don't permit mappings into unmapped space, the virtual page table
++ * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is
++ * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0.
++ */
++ roff = REGION_OFFSET(addr);
++ if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len)))
++ return -EINVAL;
++ return 0;
++}
++
+ static inline unsigned long
+ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd,
unsigned long pgoff)
+ {
+- unsigned long roff;
+ struct file *file = NULL;
+
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+@@ -189,17 +204,6 @@ do_mmap2 (unsigned long addr, unsigned l
+ goto out;
+ }
+
+- /*
+- * Don't permit mappings into unmapped space, the virtual page table of
a region,
+- * or across a region boundary. Note: RGN_MAP_LIMIT is equal to
2^n-PAGE_SIZE
+- * (for some integer n <= 61) and len > 0.
+- */
+- roff = REGION_OFFSET(addr);
+- if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) {
+- addr = -EINVAL;
+- goto out;
+- }
+-
+ down_write(¤t->mm->mmap_sem);
+ addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+--- linux-2.6.12.orig/include/asm-ia64/mman.h
++++ linux-2.6.12/include/asm-ia64/mman.h
+@@ -48,4 +48,12 @@
+ #define MAP_ANON MAP_ANONYMOUS
+ #define MAP_FILE 0
+
++#ifdef __KERNEL__
++#define arch_mmap_check ia64_mmap_check
++#ifndef __ASSEMBLY__
++int ia64_mmap_check(unsigned long addr, unsigned long len,
++ unsigned long flags);
++#endif
++#endif
++
+ #endif /* _ASM_IA64_MMAN_H */
+--- linux-2.6.12.orig/mm/mmap.c
++++ linux-2.6.12/mm/mmap.c
+@@ -38,6 +38,10 @@ static void unmap_region(struct mm_struc
+ #include <rsbac/adf.h>
+ #endif
+
++#ifndef arch_mmap_check
++#define arch_mmap_check(addr, len, flags) (0)
++#endif
++
+ /*
+ * WARNING: the debugging will use recursive algorithms so never enable this
+ * unless you know what you are doing.
+@@ -914,6 +918,10 @@ unsigned long do_mmap_pgoff(struct file
+ if (!len)
+ return -EINVAL;
+
++ error = arch_mmap_check(addr, len, flags);
++ if (error)
++ return error;
++
+ /* Careful about overflows.. */
+ len = PAGE_ALIGN(len);
+ if (!len || len > TASK_SIZE)
+@@ -1863,6 +1871,7 @@ unsigned long do_brk(unsigned long addr,
+ unsigned long flags;
+ struct rb_node ** rb_link, * rb_parent;
+ pgoff_t pgoff = addr >> PAGE_SHIFT;
++ int error;
+
+ len = PAGE_ALIGN(len);
+ if (!len)
+@@ -1871,6 +1880,12 @@ unsigned long do_brk(unsigned long addr,
+ if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ return -EINVAL;
+
++ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
++
++ error = arch_mmap_check(addr, len, flags);
++ if (error)
++ return error;
++
+ /*
+ * mlock MCL_FUTURE?
+ */
+@@ -1911,8 +1926,6 @@ unsigned long do_brk(unsigned long addr,
+ if (security_vm_enough_memory(len >> PAGE_SHIFT))
+ return -ENOMEM;
+
+- flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+-
+ /* Can we just expand an old private anonymous mapping? */
+ if (vma_merge(mm, prev, addr, addr + len, flags,
+ NULL, NULL, pgoff, NULL))
Modified: packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
==============================================================================
--- packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
(original)
+++ packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec Thu Feb
15 16:48:04 2007
@@ -1369,6 +1369,8 @@
%changelog
* Thu Feb 15 2007 Luiz Capitulino <[EMAIL PROTECTED]> 2.6.12-31uc1mdk
- NET: Make sure l_linger is unsigned to avoid negative timeouts
+ - Security fixes:
+ * ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch (#26747)
* Thu Jan 18 2007 Samir Bellabes <[EMAIL PROTECTED]> 2.6.12-30mdk
o Samir Bellabes <[EMAIL PROTECTED]>