projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 08e1901e CW |
1 | From bunk@stusta.de Wed Nov 15 08:05:24 2006 |
| 2 | Date: Wed, 15 Nov 2006 17:01:46 +0100 | |
| 3 | From: Adrian Bunk <bunk@stusta.de> | |
| 4 | To: Chris Wright <chrisw@sous-sol.org>, Michael Halcrow <mhalcrow@us.ibm.com> | |
| 5 | Cc: stable@kernel.org | |
| 6 | Subject: security/seclvl.c: fix time wrap (CVE-2005-4352) | |
| 7 | Message-ID: <20061115160146.GD5824@stusta.de> | |
| 8 | ||
| 9 | initlvl=2 in seclvl gives the guarantee | |
| 10 | "Cannot decrement the system time". | |
| 11 | ||
| 12 | But it was possible to set the time to the maximum unixtime value | |
| 13 | (19 Jan 2038) resulting in a wrap to the minimum value. | |
| 14 | ||
| 15 | This patch fixes this by disallowing setting the time to any date | |
| 544c8763 | 16 | after 2030 with initlvl=2. |
| 08e1901e CW |
17 | |
| 18 | This patch does not apply to kernel 2.6.19 since the seclvl module was | |
| 19 | already removed in this kernel. | |
| 20 | ||
| 21 | Signed-off-by: Adrian Bunk <bunk@stusta.de> | |
| 22 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | |
| 23 | ||
| 24 | --- | |
| 25 | security/seclvl.c | 2 ++ | |
| 26 | 1 file changed, 2 insertions(+) | |
| 27 | ||
| 28 | --- linux-2.6.18.2.orig/security/seclvl.c | |
| 29 | +++ linux-2.6.18.2/security/seclvl.c | |
| 30 | @@ -370,6 +370,8 @@ static int seclvl_settime(struct timespe | |
| 31 | current->group_leader->pid); | |
| 32 | return -EPERM; | |
| 33 | } /* if attempt to decrement time */ | |
| 34 | + if (tv->tv_sec > 1924988400) /* disallow dates after 2030) */ | |
| 35 | + return -EPERM; /* CVE-2005-4352 */ | |
| 36 | } /* if seclvl > 1 */ | |
| 37 | return 0; | |
| 38 | } |