From: Greg Kroah-Hartman Date: Thu, 14 Jan 2010 15:34:48 +0000 (-0800) Subject: start .27 queue X-Git-Tag: v2.6.32.4~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d50a1f6b581981982829c2b5995f3818d2d85ca9;p=thirdparty%2Fkernel%2Fstable-queue.git start .27 queue --- diff --git a/queue-2.6.27/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch b/queue-2.6.27/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch new file mode 100644 index 00000000000..35ce5882b9a --- /dev/null +++ b/queue-2.6.27/kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch @@ -0,0 +1,50 @@ +From b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Fri, 8 Jan 2010 14:42:52 -0800 +Subject: kernel/signal.c: fix kernel information leak with print-fatal-signals=1 + +From: Andi Kleen + +commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. + +When print-fatal-signals is enabled it's possible to dump any memory +reachable by the kernel to the log by simply jumping to that address from +user space. + +Or crash the system if there's some hardware with read side effects. + +The fatal signals handler will dump 16 bytes at the execution address, +which is fully controlled by ring 3. + +In addition when something jumps to a unmapped address there will be up to +16 additional useless page faults, which might be potentially slow (and at +least is not very efficient) + +Fortunately this option is off by default and only there on i386. + +But fix it by checking for kernel addresses and also stopping when there's +a page fault. + +Signed-off-by: Andi Kleen +Cc: Ingo Molnar +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt + for (i = 0; i < 16; i++) { + unsigned char insn; + +- __get_user(insn, (unsigned char *)(regs->ip + i)); ++ if (get_user(insn, (unsigned char *)(regs->ip + i))) ++ break; + printk("%02x ", insn); + } + } diff --git a/queue-2.6.27/netfilter-ebtables-enforce-cap_net_admin.patch b/queue-2.6.27/netfilter-ebtables-enforce-cap_net_admin.patch new file mode 100644 index 00000000000..bb28a3f4db1 --- /dev/null +++ b/queue-2.6.27/netfilter-ebtables-enforce-cap_net_admin.patch @@ -0,0 +1,45 @@ +From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 8 Jan 2010 17:31:24 +0100 +Subject: netfilter: ebtables: enforce CAP_NET_ADMIN + +From: Florian Westphal + +commit dce766af541f6605fa9889892c0280bab31c66ab upstream. + +normal users are currently allowed to set/modify ebtables rules. +Restrict it to processes with CAP_NET_ADMIN. + +Note that this cannot be reproduced with unmodified ebtables binary +because it uses SOCK_RAW. + +Signed-off-by: Florian Westphal +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *s + { + int ret; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + switch(cmd) { + case EBT_SO_SET_ENTRIES: + ret = do_replace(user, len); +@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *s + struct ebt_replace tmp; + struct ebt_table *t; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..3cb2b7df7cd --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,2 @@ +kernel-signal.c-fix-kernel-information-leak-with-print-fatal-signals-1.patch +netfilter-ebtables-enforce-cap_net_admin.patch