From: Greg Kroah-Hartman Date: Fri, 17 Jul 2009 19:03:14 +0000 (-0700) Subject: .27 queue started X-Git-Tag: v2.6.30.2~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3cd661c3d6b27e6d9953be499c6115cdf32a2076;p=thirdparty%2Fkernel%2Fstable-queue.git .27 queue started --- diff --git a/queue-2.6.27/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch b/queue-2.6.27/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch new file mode 100644 index 00000000000..eecec891c90 --- /dev/null +++ b/queue-2.6.27/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch @@ -0,0 +1,63 @@ +From a3ca86aea507904148870946d599e07a340b39bf Mon Sep 17 00:00:00 2001 +From: Eugene Teo +Date: Wed, 15 Jul 2009 14:59:10 +0800 +Subject: Add '-fno-delete-null-pointer-checks' to gcc CFLAGS + +From: Eugene Teo + +commit a3ca86aea507904148870946d599e07a340b39bf upstream. + +Turning on this flag could prevent the compiler from optimising away +some "useless" checks for null pointers. Such bugs can sometimes become +exploitable at compile time because of the -O2 optimisation. + +See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html + +An example that clearly shows this 'problem' is commit 6bf67672. + + static void __devexit agnx_pci_remove(struct pci_dev *pdev) + { + struct ieee80211_hw *dev = pci_get_drvdata(pdev); +- struct agnx_priv *priv = dev->priv; ++ struct agnx_priv *priv; + AGNX_TRACE; + + if (!dev) + return; ++ priv = dev->priv; + +By reverting this patch, and compile it with and without +-fno-delete-null-pointer-checks flag, we can see that the check for dev +is compiled away. + + call printk # +- testq %r12, %r12 # dev +- je .L94 #, + movq %r12, %rdi # dev, + +Clearly the 'fix' is to stop using dev before it is tested, but building +with -fno-delete-null-pointer-checks flag at least makes it harder to +abuse. + +Signed-off-by: Eugene Teo +Acked-by: Eric Paris +Acked-by: Wang Cong +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXI + + KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -fno-common \ +- -Werror-implicit-function-declaration ++ -Werror-implicit-function-declaration \ ++ -fno-delete-null-pointer-checks + KBUILD_AFLAGS := -D__ASSEMBLY__ + + # Read KERNELRELEASE from include/config/kernel.release (if it exists) diff --git a/queue-2.6.27/personality-fix-per_clear_on_setid.patch b/queue-2.6.27/personality-fix-per_clear_on_setid.patch new file mode 100644 index 00000000000..55f1fe4f2b6 --- /dev/null +++ b/queue-2.6.27/personality-fix-per_clear_on_setid.patch @@ -0,0 +1,57 @@ +From f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Mon Sep 17 00:00:00 2001 +From: Julien Tinnes +Date: Fri, 26 Jun 2009 20:27:40 +0200 +Subject: personality: fix PER_CLEAR_ON_SETID + +From: Julien Tinnes + +commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream. + +We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't +include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. + +The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. + +We believe it is important to add MMAP_PAGE_ZERO, because by using this +personality it is possible to have the first page mapped inside a +process running as setuid root. This could be used in those scenarios: + + - Exploiting a NULL pointer dereference issue in a setuid root binary + - Bypassing the mmap_min_addr restrictions of the Linux kernel: by + running a setuid binary that would drop privileges before giving us + control back (for instance by loading a user-supplied library), we + could get the first page mapped in a process we control. By further + using mremap and mprotect on this mapping, we can then completely + bypass the mmap_min_addr restrictions. + +Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added +since on x86 32bits it will in practice disable most of the address +space layout randomization (only the stack will remain randomized). + +Signed-off-by: Julien Tinnes +Signed-off-by: Tavis Ormandy +Acked-by: Christoph Hellwig +Acked-by: Kees Cook +Acked-by: Eugene Teo +[ Shortened lines and fixed whitespace as per Christophs' suggestion ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/personality.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/personality.h ++++ b/include/linux/personality.h +@@ -40,7 +40,10 @@ enum { + * Security-relevant compatibility flags that must be + * cleared upon setuid or setgid exec: + */ +-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE) ++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \ ++ ADDR_NO_RANDOMIZE | \ ++ ADDR_COMPAT_LAYOUT | \ ++ MMAP_PAGE_ZERO) + + /* + * Personality types. diff --git a/queue-2.6.27/security-use-mmap_min_addr-indepedently-of-security-models.patch b/queue-2.6.27/security-use-mmap_min_addr-indepedently-of-security-models.patch new file mode 100644 index 00000000000..83b11e9661e --- /dev/null +++ b/queue-2.6.27/security-use-mmap_min_addr-indepedently-of-security-models.patch @@ -0,0 +1,155 @@ +From e0a94c2a63f2644826069044649669b5e7ca75d3 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Wed, 3 Jun 2009 16:04:31 -0400 +Subject: security: use mmap_min_addr indepedently of security models + +From: Christoph Lameter + +commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream. + +This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. +It also sets a default mmap_min_addr of 4096. + +mmapping of addresses below 4096 will only be possible for processes +with CAP_SYS_RAWIO. + +Signed-off-by: Christoph Lameter +Acked-by: Eric Paris +Looks-ok-by: Linus Torvalds +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 2 -- + include/linux/security.h | 2 ++ + kernel/sysctl.c | 2 -- + mm/Kconfig | 18 ++++++++++++++++++ + mm/mmap.c | 3 +++ + security/Kconfig | 22 +--------------------- + security/security.c | 3 --- + 7 files changed, 24 insertions(+), 28 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -572,12 +572,10 @@ static inline void set_page_links(struct + */ + static inline unsigned long round_hint_to_min(unsigned long hint) + { +-#ifdef CONFIG_SECURITY + hint &= PAGE_MASK; + if (((void *)hint != NULL) && + (hint < mmap_min_addr)) + return PAGE_ALIGN(mmap_min_addr); +-#endif + return hint; + } + +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -2134,6 +2134,8 @@ static inline int security_file_mmap(str + unsigned long addr, + unsigned long addr_only) + { ++ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) ++ return -EACCES; + return 0; + } + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = { + .strategy = &sysctl_jiffies, + }, + #endif +-#ifdef CONFIG_SECURITY + { + .ctl_name = CTL_UNNUMBERED, + .procname = "mmap_min_addr", +@@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = { + .mode = 0644, + .proc_handler = &proc_doulongvec_minmax, + }, +-#endif + #ifdef CONFIG_NUMA + { + .ctl_name = CTL_UNNUMBERED, +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -208,3 +208,21 @@ config VIRT_TO_BUS + + config MMU_NOTIFIER + bool ++ ++config DEFAULT_MMAP_MIN_ADDR ++ int "Low address space to protect from user allocation" ++ default 4096 ++ help ++ This is the portion of low virtual memory which should be protected ++ from userspace allocation. Keeping a user from writing to low pages ++ can help reduce the impact of kernel NULL pointer bugs. ++ ++ For most ia64, ppc64 and x86 users with lots of address space ++ a value of 65536 is reasonable and should cause no problems. ++ On arm and other archs it should not be higher than 32768. ++ Programs which use vm86 functionality would either need additional ++ permissions from either the LSM or the capabilities module or have ++ this protection disabled. ++ ++ This value can be changed after boot using the ++ /proc/sys/vm/mmap_min_addr tunable. +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50; /* def + int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT; + atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0); + ++/* amount of vm to protect from userspace access */ ++unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; ++ + /* + * Check that a process has enough memory to allocate a new virtual + * mapping. 0 means there is enough memory for the allocation to +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG + + See for + more information about this module. +- +- If you are unsure how to answer this question, answer N. +- +-config SECURITY_DEFAULT_MMAP_MIN_ADDR +- int "Low address space to protect from user allocation" +- depends on SECURITY +- default 0 +- help +- This is the portion of low virtual memory which should be protected +- from userspace allocation. Keeping a user from writing to low pages +- can help reduce the impact of kernel NULL pointer bugs. +- +- For most ia64, ppc64 and x86 users with lots of address space +- a value of 65536 is reasonable and should cause no problems. +- On arm and other archs it should not be higher than 32768. +- Programs which use vm86 functionality would either need additional +- permissions from either the LSM or the capabilities module or have +- this protection disabled. +- +- This value can be changed after boot using the +- /proc/sys/vm/mmap_min_addr tunable. + ++ If you are unsure how to answer this question, answer N. + + source security/selinux/Kconfig + source security/smack/Kconfig +--- a/security/security.c ++++ b/security/security.c +@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se + + struct security_operations *security_ops; /* Initialized to NULL */ + +-/* amount of vm to protect from userspace access */ +-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR; +- + static inline int verify(struct security_operations *ops) + { + /* verify the security_operations structure exists */ diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..5ed1a24d79a --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,3 @@ +add-fno-delete-null-pointer-checks-to-gcc-cflags.patch +personality-fix-per_clear_on_setid.patch +security-use-mmap_min_addr-indepedently-of-security-models.patch