Author: dannf Date: Tue Feb 19 07:21:41 2008 New Revision: 10576 Log: * mmap-VM_DONTEXPAND.dpatch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Tue Feb 19 07:21:41 2008 @@ -73,8 +73,12 @@ [SECURITY] Avoid seeding with the same values at boot time when a system has no entropy source See CVE-2007-2453 + * mmap-VM_DONTEXPAND.dpatch + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 - -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 15:32:34 -0700 + -- dann frazier <[EMAIL PROTECTED]> Tue, 19 Feb 2008 00:18:26 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch Tue Feb 19 07:21:41 2008 @@ -0,0 +1,122 @@ +From: Nick Piggin <[EMAIL PROTECTED]> +Date: Sat, 2 Feb 2008 02:08:53 +0000 (+0100) +Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) +X-Git-Tag: v2.6.22.17~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e + +vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) + +Drivers that register a ->fault handler, but do not range-check the +offset argument, must set VM_DONTEXPAND in the vm_flags in order to +prevent an expanding mremap from overflowing the resource. + +I've audited the tree and attempted to fix these problems (usually by +adding VM_DONTEXPAND where it is not obvious). + +Signed-off-by: Nick Piggin <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]> +--- +commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf +Author: Willy Tarreau <[EMAIL PROTECTED]> +Date: Sun Feb 3 18:32:33 2008 +0100 + + security: insufficient range checks in certain fault handlers + + This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers. + This deals with security vulnerability CVE-2008-0007. + + Drivers that register a ->nopage handler, that does not range-check its + offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the + offset is within bounds. + + Signed-off-by: Willy Tarreau <[EMAIL PROTECTED]> + +Ported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff --git a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c +index f25aaa5..ef50f2d 100644 +--- a/drivers/char/drm-4.0/vm.c ++++ b/drivers/char/drm-4.0/vm.c +@@ -256,6 +256,7 @@ int drm_mmap_dma(struct file *filp, struct vm_area_struct *vma) + + vma->vm_ops = &drm_vm_dma_ops; + vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +@@ -358,6 +359,7 @@ int drm_mmap(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h +index 4eadbf0..337a1a8 100644 +--- a/drivers/char/drm/drm_vm.h ++++ b/drivers/char/drm/drm_vm.h +@@ -342,6 +342,7 @@ int DRM(mmap_dma)(struct file *filp, struct vm_area_struct *vma) + + vma->vm_ops = &DRM(vm_dma_ops); + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + vma->vm_file = filp; /* Needed for drm_vm_open() */ + DRM(vm_open)(vma); + return 0; +@@ -475,6 +476,7 @@ int DRM(mmap)(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + + vma->vm_file = filp; /* Needed for drm_vm_open() */ + DRM(vm_open)(vma); +diff --git a/drivers/sound/via82cxxx_audio.c b/drivers/sound/via82cxxx_audio.c +index 864f164..db5da3c 100644 +--- a/drivers/sound/via82cxxx_audio.c ++++ b/drivers/sound/via82cxxx_audio.c +@@ -2111,6 +2111,7 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, + { + struct via_info *card = vma->vm_private_data; + struct via_channel *chan = &card->ch_out; ++ unsigned long max_bufs; + struct page *dmapage; + unsigned long pgoff; + int rd, wr; +@@ -2135,14 +2136,11 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, + rd = card->ch_in.is_mapped; + wr = card->ch_out.is_mapped; + +-#ifndef VIA_NDEBUG +- { +- unsigned long max_bufs = chan->frag_number; +- if (rd && wr) max_bufs *= 2; +- /* via_dsp_mmap() should ensure this */ +- assert (pgoff < max_bufs); +- } +-#endif ++ max_bufs = chan->frag_number; ++ if (rd && wr) ++ max_bufs *= 2; ++ if (pgoff >= max_bufs) ++ return NOPAGE_SIGBUS; + + /* if full-duplex (read+write) and we have two sets of bufs, + * then the playback buffers come first, sez soundcard.c */ +diff --git a/fs/ncpfs/mmap.c b/fs/ncpfs/mmap.c +index 7d9bc34..dd8cb1a 100644 +--- a/fs/ncpfs/mmap.c ++++ b/fs/ncpfs/mmap.c +@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage(struct vm_area_struct *area, + pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT); + + count = PAGE_SIZE; +- if (address + PAGE_SIZE > area->vm_end) { +- count = area->vm_end - address; +- } + /* what we can read in one go */ + bufsize = NCP_SERVER(inode)->buffer_size; + Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Tue Feb 19 07:21:41 2008 @@ -19,3 +19,4 @@ + powerpc-chrp-null-deref.dpatch + random-bound-check-ordering.dpatch + random-fix-seeding-with-zero-entropy.dpatch ++ mmap-VM_DONTEXPAND.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes