[cooker-commits] [svn-commit] r121427 - in packages/updates/2006.0/kernel-2.6/current: PATCHES/patches

Thu, 15 Feb 2007 07:47:18 -0800 

Author: lcapitulino
Date: Thu Feb 15 16:48:04 2007
New Revision: 121427

Added:
   
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
Modified:
   packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec

Log:
Fix for CVE-2006-4538

Added: 
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
==============================================================================
--- (empty file)
+++ 
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch
        Thu Feb 15 16:48:04 2007
@@ -0,0 +1,122 @@
+---
+ arch/ia64/kernel/sys_ia64.c |   28 ++++++++++++++++------------
+ include/asm-ia64/mman.h     |    8 ++++++++
+ mm/mmap.c                   |   17 +++++++++++++++--
+ 3 files changed, 39 insertions(+), 14 deletions(-)
+
+--- linux-2.6.12.orig/arch/ia64/kernel/sys_ia64.c
++++ linux-2.6.12/arch/ia64/kernel/sys_ia64.c
+@@ -164,10 +164,25 @@ sys_pipe (void)
+       return retval;
+ }
+ 
++int ia64_mmap_check(unsigned long addr, unsigned long len,
++              unsigned long flags)
++{
++      unsigned long roff;
++
++      /*
++       * Don't permit mappings into unmapped space, the virtual page table
++       * of a region, or across a region boundary.  Note: RGN_MAP_LIMIT is
++       * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0.
++       */
++      roff = REGION_OFFSET(addr);
++      if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len)))
++              return -EINVAL;
++      return 0;
++}
++
+ static inline unsigned long
+ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, 
unsigned long pgoff)
+ {
+-      unsigned long roff;
+       struct file *file = NULL;
+ 
+       flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+@@ -189,17 +204,6 @@ do_mmap2 (unsigned long addr, unsigned l
+               goto out;
+       }
+ 
+-      /*
+-       * Don't permit mappings into unmapped space, the virtual page table of 
a region,
+-       * or across a region boundary.  Note: RGN_MAP_LIMIT is equal to 
2^n-PAGE_SIZE
+-       * (for some integer n <= 61) and len > 0.
+-       */
+-      roff = REGION_OFFSET(addr);
+-      if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) {
+-              addr = -EINVAL;
+-              goto out;
+-      }
+-
+       down_write(&current->mm->mmap_sem);
+       addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+       up_write(&current->mm->mmap_sem);
+--- linux-2.6.12.orig/include/asm-ia64/mman.h
++++ linux-2.6.12/include/asm-ia64/mman.h
+@@ -48,4 +48,12 @@
+ #define MAP_ANON      MAP_ANONYMOUS
+ #define MAP_FILE      0
+ 
++#ifdef __KERNEL__
++#define arch_mmap_check       ia64_mmap_check
++#ifndef __ASSEMBLY__
++int ia64_mmap_check(unsigned long addr, unsigned long len,
++              unsigned long flags);
++#endif
++#endif
++
+ #endif /* _ASM_IA64_MMAN_H */
+--- linux-2.6.12.orig/mm/mmap.c
++++ linux-2.6.12/mm/mmap.c
+@@ -38,6 +38,10 @@ static void unmap_region(struct mm_struc
+ #include <rsbac/adf.h>
+ #endif
+ 
++#ifndef arch_mmap_check
++#define arch_mmap_check(addr, len, flags)     (0)
++#endif
++
+ /*
+  * WARNING: the debugging will use recursive algorithms so never enable this
+  * unless you know what you are doing.
+@@ -914,6 +918,10 @@ unsigned long do_mmap_pgoff(struct file 
+       if (!len)
+               return -EINVAL;
+ 
++      error = arch_mmap_check(addr, len, flags);
++      if (error)
++              return error;
++
+       /* Careful about overflows.. */
+       len = PAGE_ALIGN(len);
+       if (!len || len > TASK_SIZE)
+@@ -1863,6 +1871,7 @@ unsigned long do_brk(unsigned long addr,
+       unsigned long flags;
+       struct rb_node ** rb_link, * rb_parent;
+       pgoff_t pgoff = addr >> PAGE_SHIFT;
++      int error;
+ 
+       len = PAGE_ALIGN(len);
+       if (!len)
+@@ -1871,6 +1880,12 @@ unsigned long do_brk(unsigned long addr,
+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+ 
++      flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
++
++      error = arch_mmap_check(addr, len, flags);
++      if (error)
++              return error;
++
+       /*
+        * mlock MCL_FUTURE?
+        */
+@@ -1911,8 +1926,6 @@ unsigned long do_brk(unsigned long addr,
+       if (security_vm_enough_memory(len >> PAGE_SHIFT))
+               return -ENOMEM;
+ 
+-      flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+-
+       /* Can we just expand an old private anonymous mapping? */
+       if (vma_merge(mm, prev, addr, addr + len, flags,
+                                       NULL, NULL, pgoff, NULL))

Modified: packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
==============================================================================
--- packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec    
(original)
+++ packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec    Thu Feb 
15 16:48:04 2007
@@ -1369,6 +1369,8 @@
 %changelog
 * Thu Feb 15 2007 Luiz Capitulino <[EMAIL PROTECTED]> 2.6.12-31uc1mdk
     - NET: Make sure l_linger is unsigned to avoid negative timeouts
+    - Security fixes:
+      * ZZCC_CVE-2006-4538_ia64_corrupt_elf.patch                (#26747)
 
 * Thu Jan 18 2007 Samir Bellabes <[EMAIL PROTECTED]> 2.6.12-30mdk
   o Samir Bellabes <[EMAIL PROTECTED]>

Reply via email to