Author: dannf Date: Thu Feb 14 05:30:49 2008 New Revision: 10542 Log: * bugfix/mmap-VM_DONTEXPAND.patch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/18etch2 Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Thu Feb 14 05:30:49 2008 @@ -4,8 +4,12 @@ [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 + * bugfix/mmap-VM_DONTEXPAND.patch + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 - -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 21:12:33 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 22:21:27 -0700 linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high Added: dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch Thu Feb 14 05:30:49 2008 @@ -0,0 +1,120 @@ +From: Nick Piggin <[EMAIL PROTECTED]> +Date: Sat, 2 Feb 2008 02:08:53 +0000 (+0100) +Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) +X-Git-Tag: v2.6.22.17~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e + +vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) + +Drivers that register a ->fault handler, but do not range-check the +offset argument, must set VM_DONTEXPAND in the vm_flags in order to +prevent an expanding mremap from overflowing the resource. + +I've audited the tree and attempted to fix these problems (usually by +adding VM_DONTEXPAND where it is not obvious). + +Signed-off-by: Nick Piggin <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN linux-source-2.6.18.orig/drivers/char/drm/drm_vm.c linux-source-2.6.18/drivers/char/drm/drm_vm.c +--- linux-source-2.6.18.orig/drivers/char/drm/drm_vm.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/drivers/char/drm/drm_vm.c 2008-02-13 22:17:32.000000000 -0700 +@@ -479,6 +479,7 @@ static int drm_mmap_dma(struct file *fil + vma->vm_ops = &drm_vm_dma_ops; + + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + + vma->vm_file = filp; /* Needed for drm_vm_open() */ + drm_vm_open(vma); +@@ -656,6 +657,7 @@ int drm_mmap(struct file *filp, struct v + return -EINVAL; /* This should never happen. */ + } + vma->vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma->vm_flags |= VM_DONTEXPAND; + + vma->vm_file = filp; /* Needed for drm_vm_open() */ + drm_vm_open(vma); +diff -urpN linux-source-2.6.18.orig/fs/ncpfs/mmap.c linux-source-2.6.18/fs/ncpfs/mmap.c +--- linux-source-2.6.18.orig/fs/ncpfs/mmap.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/fs/ncpfs/mmap.c 2008-02-13 22:17:35.000000000 -0700 +@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage + pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT); + + count = PAGE_SIZE; +- if (address + PAGE_SIZE > area->vm_end) { +- count = area->vm_end - address; +- } + /* what we can read in one go */ + bufsize = NCP_SERVER(inode)->buffer_size; + +diff -urpN linux-source-2.6.18.orig/kernel/relay.c linux-source-2.6.18/kernel/relay.c +--- linux-source-2.6.18.orig/kernel/relay.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/kernel/relay.c 2008-02-13 22:17:35.000000000 -0700 +@@ -84,6 +84,7 @@ int relay_mmap_buf(struct rchan_buf *buf + return -EINVAL; + + vma->vm_ops = &relay_file_mmap_ops; ++ vma->vm_flags |= VM_DONTEXPAND; + vma->vm_private_data = buf; + buf->chan->cb->buf_mapped(buf, filp); + +diff -urpN linux-source-2.6.18.orig/sound/oss/via82cxxx_audio.c linux-source-2.6.18/sound/oss/via82cxxx_audio.c +--- linux-source-2.6.18.orig/sound/oss/via82cxxx_audio.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/sound/oss/via82cxxx_audio.c 2008-02-13 22:17:35.000000000 -0700 +@@ -2104,6 +2104,7 @@ static struct page * via_mm_nopage (stru + { + struct via_info *card = vma->vm_private_data; + struct via_channel *chan = &card->ch_out; ++ unsigned long max_bufs; + struct page *dmapage; + unsigned long pgoff; + int rd, wr; +@@ -2127,14 +2128,11 @@ static struct page * via_mm_nopage (stru + rd = card->ch_in.is_mapped; + wr = card->ch_out.is_mapped; + +-#ifndef VIA_NDEBUG +- { +- unsigned long max_bufs = chan->frag_number; +- if (rd && wr) max_bufs *= 2; +- /* via_dsp_mmap() should ensure this */ +- assert (pgoff < max_bufs); +- } +-#endif ++ max_bufs = chan->frag_number; ++ if (rd && wr) ++ max_bufs *= 2; ++ if (pgoff >= max_bufs) ++ return NOPAGE_SIGBUS; + + /* if full-duplex (read+write) and we have two sets of bufs, + * then the playback buffers come first, sez soundcard.c */ +diff -urpN linux-source-2.6.18.orig/sound/usb/usx2y/usX2Yhwdep.c linux-source-2.6.18/sound/usb/usx2y/usX2Yhwdep.c +--- linux-source-2.6.18.orig/sound/usb/usx2y/usX2Yhwdep.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/sound/usb/usx2y/usX2Yhwdep.c 2008-02-13 22:17:35.000000000 -0700 +@@ -88,7 +88,7 @@ static int snd_us428ctls_mmap(struct snd + us428->us428ctls_sharedmem->CtlSnapShotLast = -2; + } + area->vm_ops = &us428ctls_vm_ops; +- area->vm_flags |= VM_RESERVED; ++ area->vm_flags |= VM_RESERVED | VM_DONTEXPAND; + area->vm_private_data = hw->private_data; + return 0; + } +diff -urpN linux-source-2.6.18.orig/sound/usb/usx2y/usx2yhwdeppcm.c linux-source-2.6.18/sound/usb/usx2y/usx2yhwdeppcm.c +--- linux-source-2.6.18.orig/sound/usb/usx2y/usx2yhwdeppcm.c 2008-02-10 10:48:45.000000000 -0700 ++++ linux-source-2.6.18/sound/usb/usx2y/usx2yhwdeppcm.c 2008-02-13 22:17:35.000000000 -0700 +@@ -728,7 +728,7 @@ static int snd_usX2Y_hwdep_pcm_mmap(stru + return -ENODEV; + } + area->vm_ops = &snd_usX2Y_hwdep_pcm_vm_ops; +- area->vm_flags |= VM_RESERVED; ++ area->vm_flags |= VM_RESERVED | VM_DONTEXPAND; + area->vm_private_data = hw->private_data; + return 0; + } Modified: dists/etch-security/linux-2.6/debian/patches/series/18etch2 ============================================================================== --- dists/etch-security/linux-2.6/debian/patches/series/18etch2 (original) +++ dists/etch-security/linux-2.6/debian/patches/series/18etch2 Thu Feb 14 05:30:49 2008 @@ -1 +1,2 @@ + bugfix/powerpc-chrp-null-deref.patch ++ bugfix/mmap-VM_DONTEXPAND.patch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes