From: Greg Kroah-Hartman Date: Fri, 17 Jul 2009 18:59:59 +0000 (-0700) Subject: start .30 queue X-Git-Tag: v2.6.30.2~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3fcca9c7c4f483adaf2d282c4f409206ece381b4;p=thirdparty%2Fkernel%2Fstable-queue.git start .30 queue --- diff --git a/queue-2.6.30/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch b/queue-2.6.30/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch new file mode 100644 index 00000000000..00a7ac3e87a --- /dev/null +++ b/queue-2.6.30/add-fno-delete-null-pointer-checks-to-gcc-cflags.patch @@ -0,0 +1,63 @@ +From a3ca86aea507904148870946d599e07a340b39bf Mon Sep 17 00:00:00 2001 +From: Eugene Teo +Date: Wed, 15 Jul 2009 14:59:10 +0800 +Subject: Add '-fno-delete-null-pointer-checks' to gcc CFLAGS + +From: Eugene Teo + +commit a3ca86aea507904148870946d599e07a340b39bf upstream. + +Turning on this flag could prevent the compiler from optimising away +some "useless" checks for null pointers. Such bugs can sometimes become +exploitable at compile time because of the -O2 optimisation. + +See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html + +An example that clearly shows this 'problem' is commit 6bf67672. + + static void __devexit agnx_pci_remove(struct pci_dev *pdev) + { + struct ieee80211_hw *dev = pci_get_drvdata(pdev); +- struct agnx_priv *priv = dev->priv; ++ struct agnx_priv *priv; + AGNX_TRACE; + + if (!dev) + return; ++ priv = dev->priv; + +By reverting this patch, and compile it with and without +-fno-delete-null-pointer-checks flag, we can see that the check for dev +is compiled away. + + call printk # +- testq %r12, %r12 # dev +- je .L94 #, + movq %r12, %rdi # dev, + +Clearly the 'fix' is to stop using dev before it is tested, but building +with -fno-delete-null-pointer-checks flag at least makes it harder to +abuse. + +Signed-off-by: Eugene Teo +Acked-by: Eric Paris +Acked-by: Wang Cong +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -351,7 +351,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ + + KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -fno-common \ +- -Werror-implicit-function-declaration ++ -Werror-implicit-function-declaration \ ++ -fno-delete-null-pointer-checks + KBUILD_AFLAGS := -D__ASSEMBLY__ + + # Read KERNELRELEASE from include/config/kernel.release (if it exists) diff --git a/queue-2.6.30/personality-fix-per_clear_on_setid.patch b/queue-2.6.30/personality-fix-per_clear_on_setid.patch new file mode 100644 index 00000000000..55f1fe4f2b6 --- /dev/null +++ b/queue-2.6.30/personality-fix-per_clear_on_setid.patch @@ -0,0 +1,57 @@ +From f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Mon Sep 17 00:00:00 2001 +From: Julien Tinnes +Date: Fri, 26 Jun 2009 20:27:40 +0200 +Subject: personality: fix PER_CLEAR_ON_SETID + +From: Julien Tinnes + +commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream. + +We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't +include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. + +The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. + +We believe it is important to add MMAP_PAGE_ZERO, because by using this +personality it is possible to have the first page mapped inside a +process running as setuid root. This could be used in those scenarios: + + - Exploiting a NULL pointer dereference issue in a setuid root binary + - Bypassing the mmap_min_addr restrictions of the Linux kernel: by + running a setuid binary that would drop privileges before giving us + control back (for instance by loading a user-supplied library), we + could get the first page mapped in a process we control. By further + using mremap and mprotect on this mapping, we can then completely + bypass the mmap_min_addr restrictions. + +Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added +since on x86 32bits it will in practice disable most of the address +space layout randomization (only the stack will remain randomized). + +Signed-off-by: Julien Tinnes +Signed-off-by: Tavis Ormandy +Acked-by: Christoph Hellwig +Acked-by: Kees Cook +Acked-by: Eugene Teo +[ Shortened lines and fixed whitespace as per Christophs' suggestion ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/personality.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/personality.h ++++ b/include/linux/personality.h +@@ -40,7 +40,10 @@ enum { + * Security-relevant compatibility flags that must be + * cleared upon setuid or setgid exec: + */ +-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE) ++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \ ++ ADDR_NO_RANDOMIZE | \ ++ ADDR_COMPAT_LAYOUT | \ ++ MMAP_PAGE_ZERO) + + /* + * Personality types. diff --git a/queue-2.6.30/security-use-mmap_min_addr-indepedently-of-security-models.patch b/queue-2.6.30/security-use-mmap_min_addr-indepedently-of-security-models.patch new file mode 100644 index 00000000000..26db7d207c5 --- /dev/null +++ b/queue-2.6.30/security-use-mmap_min_addr-indepedently-of-security-models.patch @@ -0,0 +1,159 @@ +From e0a94c2a63f2644826069044649669b5e7ca75d3 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Wed, 3 Jun 2009 16:04:31 -0400 +Subject: security: use mmap_min_addr indepedently of security models + +From: Christoph Lameter + +commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream. + +This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. +It also sets a default mmap_min_addr of 4096. + +mmapping of addresses below 4096 will only be possible for processes +with CAP_SYS_RAWIO. + +Signed-off-by: Christoph Lameter +Acked-by: Eric Paris +Looks-ok-by: Linus Torvalds +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 2 -- + include/linux/security.h | 2 ++ + kernel/sysctl.c | 2 -- + mm/Kconfig | 19 +++++++++++++++++++ + mm/mmap.c | 3 +++ + security/Kconfig | 22 +--------------------- + security/security.c | 3 --- + 7 files changed, 25 insertions(+), 28 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -580,12 +580,10 @@ static inline void set_page_links(struct + */ + static inline unsigned long round_hint_to_min(unsigned long hint) + { +-#ifdef CONFIG_SECURITY + hint &= PAGE_MASK; + if (((void *)hint != NULL) && + (hint < mmap_min_addr)) + return PAGE_ALIGN(mmap_min_addr); +-#endif + return hint; + } + +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(str + unsigned long addr, + unsigned long addr_only) + { ++ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) ++ return -EACCES; + return 0; + } + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1225,7 +1225,6 @@ static struct ctl_table vm_table[] = { + .strategy = &sysctl_jiffies, + }, + #endif +-#ifdef CONFIG_SECURITY + { + .ctl_name = CTL_UNNUMBERED, + .procname = "mmap_min_addr", +@@ -1234,7 +1233,6 @@ static struct ctl_table vm_table[] = { + .mode = 0644, + .proc_handler = &proc_doulongvec_minmax, + }, +-#endif + #ifdef CONFIG_NUMA + { + .ctl_name = CTL_UNNUMBERED, +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -226,6 +226,25 @@ config HAVE_MLOCKED_PAGE_BIT + config MMU_NOTIFIER + bool + ++config DEFAULT_MMAP_MIN_ADDR ++ int "Low address space to protect from user allocation" ++ default 4096 ++ help ++ This is the portion of low virtual memory which should be protected ++ from userspace allocation. Keeping a user from writing to low pages ++ can help reduce the impact of kernel NULL pointer bugs. ++ ++ For most ia64, ppc64 and x86 users with lots of address space ++ a value of 65536 is reasonable and should cause no problems. ++ On arm and other archs it should not be higher than 32768. ++ Programs which use vm86 functionality would either need additional ++ permissions from either the LSM or the capabilities module or have ++ this protection disabled. ++ ++ This value can be changed after boot using the ++ /proc/sys/vm/mmap_min_addr tunable. ++ ++ + config NOMMU_INITIAL_TRIM_EXCESS + int "Turn on mmap() excess space trimming before booting" + depends on !MMU +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -87,6 +87,9 @@ int sysctl_overcommit_ratio = 50; /* def + int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT; + struct percpu_counter vm_committed_as; + ++/* amount of vm to protect from userspace access */ ++unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; ++ + /* + * Check that a process has enough memory to allocate a new virtual + * mapping. 0 means there is enough memory for the allocation to +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -110,28 +110,8 @@ config SECURITY_ROOTPLUG + + See for + more information about this module. +- +- If you are unsure how to answer this question, answer N. +- +-config SECURITY_DEFAULT_MMAP_MIN_ADDR +- int "Low address space to protect from user allocation" +- depends on SECURITY +- default 0 +- help +- This is the portion of low virtual memory which should be protected +- from userspace allocation. Keeping a user from writing to low pages +- can help reduce the impact of kernel NULL pointer bugs. +- +- For most ia64, ppc64 and x86 users with lots of address space +- a value of 65536 is reasonable and should cause no problems. +- On arm and other archs it should not be higher than 32768. +- Programs which use vm86 functionality would either need additional +- permissions from either the LSM or the capabilities module or have +- this protection disabled. +- +- This value can be changed after boot using the +- /proc/sys/vm/mmap_min_addr tunable. + ++ If you are unsure how to answer this question, answer N. + + source security/selinux/Kconfig + source security/smack/Kconfig +--- a/security/security.c ++++ b/security/security.c +@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se + + struct security_operations *security_ops; /* Initialized to NULL */ + +-/* amount of vm to protect from userspace access */ +-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR; +- + static inline int verify(struct security_operations *ops) + { + /* verify the security_operations structure exists */ diff --git a/queue-2.6.30/series b/queue-2.6.30/series new file mode 100644 index 00000000000..17805df9401 --- /dev/null +++ b/queue-2.6.30/series @@ -0,0 +1,4 @@ +add-fno-delete-null-pointer-checks-to-gcc-cflags.patch +security-use-mmap_min_addr-indepedently-of-security-models.patch +tun-tap-fix-crashes-if-open-dev-net-tun-and-then-poll-it.patch +personality-fix-per_clear_on_setid.patch diff --git a/queue-2.6.30/tun-tap-fix-crashes-if-open-dev-net-tun-and-then-poll-it.patch b/queue-2.6.30/tun-tap-fix-crashes-if-open-dev-net-tun-and-then-poll-it.patch new file mode 100644 index 00000000000..5a831252790 --- /dev/null +++ b/queue-2.6.30/tun-tap-fix-crashes-if-open-dev-net-tun-and-then-poll-it.patch @@ -0,0 +1,47 @@ +From 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 Mon Sep 17 00:00:00 2001 +From: Mariusz Kozlowski +Date: Sun, 5 Jul 2009 19:48:35 +0000 +Subject: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897) + +From: Mariusz Kozlowski + +commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream. + +Fix NULL pointer dereference in tun_chr_pool() introduced by commit +33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued +packets per device") and triggered by this code: + + int fd; + struct pollfd pfd; + fd = open("/dev/net/tun", O_RDWR); + pfd.fd = fd; + pfd.events = POLLIN | POLLOUT; + poll(&pfd, 1, 0); + +Reported-by: Eugene Kapun +Signed-off-by: Mariusz Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct + { + struct tun_file *tfile = file->private_data; + struct tun_struct *tun = __tun_get(tfile); +- struct sock *sk = tun->sk; ++ struct sock *sk; + unsigned int mask = 0; + + if (!tun) + return POLLERR; + ++ sk = tun->sk; ++ + DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); + + poll_wait(file, &tun->socket.wait, wait);