diff --git a/debian/changelog b/debian/changelog index 5edb8a93b..3577bcfde 100644 --- a/debian/changelog +++ b/debian/changelog @@ -40,12 +40,8 @@ linux-2.6 (2.6.18.dfsg.1-12) UNRELEASED; urgency=low [SECURITY] Fix kernel memory leak vulnerability in ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. See CVE-2007-1000 - * bugfix/listxattr-mem-corruption.patch - [SECURITY] Fix userspace corruption vulnerability caused by - incorrectly promoted return values in bad_inode_ops - See CVE-2006-5753 - -- dann frazier Wed, 21 Mar 2007 18:03:28 -0600 + -- dann frazier Thu, 22 Mar 2007 10:31:41 -0600 linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low diff --git a/debian/patches/bugfix/listxattr-mem-corruption.patch b/debian/patches/bugfix/listxattr-mem-corruption.patch deleted file mode 100644 index 10f37da8a..000000000 --- a/debian/patches/bugfix/listxattr-mem-corruption.patch +++ /dev/null @@ -1,441 +0,0 @@ -From: Eric Sandeen -Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800) -Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values -X-Git-Tag: v2.6.20-rc4~60 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837 - -[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values - -CVE-2006-5753 is for a case where an inode can be marked bad, switching -the ops to bad_inode_ops, which are all connected as: - -static int return_EIO(void) -{ - return -EIO; -} - -#define EIO_ERROR ((void *) (return_EIO)) - -static struct inode_operations bad_inode_ops = -{ - .create = bad_inode_create -...etc... - -The problem here is that the void cast causes return types to not be -promoted, and for ops such as listxattr which expect more than 32 bits of -return value, the 32-bit -EIO is interpreted as a large positive 64-bit -number, i.e. 0x00000000fffffffa instead of 0xfffffffa. - -This goes particularly badly when the return value is taken as a number of -bytes to copy into, say, a user's buffer for example... - -I originally had coded up the fix by creating a return_EIO_ macro -for each return type, like this: - -static int return_EIO_int(void) -{ - return -EIO; -} -#define EIO_ERROR_INT ((void *) (return_EIO_int)) - -static struct inode_operations bad_inode_ops = -{ - .create = EIO_ERROR_INT, -...etc... - -but Al felt that it was probably better to create an EIO-returner for each -actual op signature. Since so few ops share a signature, I just went ahead -& created an EIO function for each individual file & inode op that returns -a value. - -Signed-off-by: Eric Sandeen -Cc: Al Viro -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - -Backported to Debian's 2.6.18 by dann frazier - ---- linux-source-2.6.18/fs/bad_inode.c.orig 2006-09-19 21:42:06.000000000 -0600 -+++ linux-source-2.6.18/fs/bad_inode.c 2007-03-19 20:56:08.000000000 -0600 -@@ -14,61 +14,321 @@ - #include - #include - #include -+#include - --static int return_EIO(void) -+ -+static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_read(struct file *filp, char __user *buf, -+ size_t size, loff_t *ppos) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_write(struct file *filp, const char __user *buf, -+ size_t siz, loff_t *ppos) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf, -+ size_t siz, loff_t pos) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf, -+ size_t siz, loff_t pos) -+{ -+ return -EIO; -+} -+ -+static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir) -+{ -+ return -EIO; -+} -+ -+static unsigned int bad_file_poll(struct file *filp, poll_table *wait) -+{ -+ return POLLERR; -+} -+ -+static int bad_file_ioctl (struct inode *inode, struct file *filp, -+ unsigned int cmd, unsigned long arg) -+{ -+ return -EIO; -+} -+ -+static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd, -+ unsigned long arg) -+{ -+ return -EIO; -+} -+ -+static long bad_file_compat_ioctl(struct file *file, unsigned int cmd, -+ unsigned long arg) -+{ -+ return -EIO; -+} -+ -+static int bad_file_mmap(struct file *file, struct vm_area_struct *vma) -+{ -+ return -EIO; -+} -+ -+static int bad_file_open(struct inode *inode, struct file *filp) -+{ -+ return -EIO; -+} -+ -+static int bad_file_flush(struct file *file, fl_owner_t id) -+{ -+ return -EIO; -+} -+ -+static int bad_file_release(struct inode *inode, struct file *filp) -+{ -+ return -EIO; -+} -+ -+static int bad_file_fsync(struct file *file, struct dentry *dentry, -+ int datasync) -+{ -+ return -EIO; -+} -+ -+static int bad_file_aio_fsync(struct kiocb *iocb, int datasync) -+{ -+ return -EIO; -+} -+ -+static int bad_file_fasync(int fd, struct file *filp, int on) -+{ -+ return -EIO; -+} -+ -+static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov, -+ unsigned long nr_segs, loff_t *ppos) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov, -+ unsigned long nr_segs, loff_t *ppos) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos, -+ size_t count, read_actor_t actor, void *target) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_sendpage(struct file *file, struct page *page, -+ int off, size_t len, loff_t *pos, int more) -+{ -+ return -EIO; -+} -+ -+static unsigned long bad_file_get_unmapped_area(struct file *file, -+ unsigned long addr, unsigned long len, -+ unsigned long pgoff, unsigned long flags) - { - return -EIO; - } - --#define EIO_ERROR ((void *) (return_EIO)) -+static int bad_file_check_flags(int flags) -+{ -+ return -EIO; -+} -+ -+static int bad_file_dir_notify(struct file *file, unsigned long arg) -+{ -+ return -EIO; -+} -+ -+static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe, -+ struct file *out, loff_t *ppos, size_t len, -+ unsigned int flags) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos, -+ struct pipe_inode_info *pipe, size_t len, -+ unsigned int flags) -+{ -+ return -EIO; -+} - - static const struct file_operations bad_file_ops = - { -- .llseek = EIO_ERROR, -- .aio_read = EIO_ERROR, -- .read = EIO_ERROR, -- .write = EIO_ERROR, -- .aio_write = EIO_ERROR, -- .readdir = EIO_ERROR, -- .poll = EIO_ERROR, -- .ioctl = EIO_ERROR, -- .mmap = EIO_ERROR, -- .open = EIO_ERROR, -- .flush = EIO_ERROR, -- .release = EIO_ERROR, -- .fsync = EIO_ERROR, -- .aio_fsync = EIO_ERROR, -- .fasync = EIO_ERROR, -- .lock = EIO_ERROR, -- .readv = EIO_ERROR, -- .writev = EIO_ERROR, -- .sendfile = EIO_ERROR, -- .sendpage = EIO_ERROR, -- .get_unmapped_area = EIO_ERROR, -+ .llseek = bad_file_llseek, -+ .read = bad_file_read, -+ .write = bad_file_write, -+ .aio_read = bad_file_aio_read, -+ .aio_write = bad_file_aio_write, -+ .readdir = bad_file_readdir, -+ .poll = bad_file_poll, -+ .ioctl = bad_file_ioctl, -+ .unlocked_ioctl = bad_file_unlocked_ioctl, -+ .compat_ioctl = bad_file_compat_ioctl, -+ .mmap = bad_file_mmap, -+ .open = bad_file_open, -+ .flush = bad_file_flush, -+ .release = bad_file_release, -+ .fsync = bad_file_fsync, -+ .aio_fsync = bad_file_aio_fsync, -+ .fasync = bad_file_fasync, -+ .lock = bad_file_lock, -+ .readv = bad_file_readv, -+ .writev = bad_file_writev, -+ .sendfile = bad_file_sendfile, -+ .sendpage = bad_file_sendpage, -+ .get_unmapped_area = bad_file_get_unmapped_area, -+ .check_flags = bad_file_check_flags, -+ .dir_notify = bad_file_dir_notify, -+ .flock = bad_file_flock, -+ .splice_write = bad_file_splice_write, -+ .splice_read = bad_file_splice_read, - }; - -+static int bad_inode_create (struct inode *dir, struct dentry *dentry, -+ int mode, struct nameidata *nd) -+{ -+ return -EIO; -+} -+ -+static struct dentry *bad_inode_lookup(struct inode *dir, -+ struct dentry *dentry, struct nameidata *nd) -+{ -+ return ERR_PTR(-EIO); -+} -+ -+static int bad_inode_link (struct dentry *old_dentry, struct inode *dir, -+ struct dentry *dentry) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_unlink(struct inode *dir, struct dentry *dentry) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_symlink (struct inode *dir, struct dentry *dentry, -+ const char *symname) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry, -+ int mode) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_mknod (struct inode *dir, struct dentry *dentry, -+ int mode, dev_t rdev) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry, -+ struct inode *new_dir, struct dentry *new_dentry) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_readlink(struct dentry *dentry, char __user *buffer, -+ int buflen) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_permission(struct inode *inode, int mask, -+ struct nameidata *nd) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry, -+ struct kstat *stat) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_setxattr(struct dentry *dentry, const char *name, -+ const void *value, size_t size, int flags) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name, -+ void *buffer, size_t size) -+{ -+ return -EIO; -+} -+ -+static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer, -+ size_t buffer_size) -+{ -+ return -EIO; -+} -+ -+static int bad_inode_removexattr(struct dentry *dentry, const char *name) -+{ -+ return -EIO; -+} -+ - static struct inode_operations bad_inode_ops = - { -- .create = EIO_ERROR, -- .lookup = EIO_ERROR, -- .link = EIO_ERROR, -- .unlink = EIO_ERROR, -- .symlink = EIO_ERROR, -- .mkdir = EIO_ERROR, -- .rmdir = EIO_ERROR, -- .mknod = EIO_ERROR, -- .rename = EIO_ERROR, -- .readlink = EIO_ERROR, -+ .create = bad_inode_create, -+ .lookup = bad_inode_lookup, -+ .link = bad_inode_link, -+ .unlink = bad_inode_unlink, -+ .symlink = bad_inode_symlink, -+ .mkdir = bad_inode_mkdir, -+ .rmdir = bad_inode_rmdir, -+ .mknod = bad_inode_mknod, -+ .rename = bad_inode_rename, -+ .readlink = bad_inode_readlink, - /* follow_link must be no-op, otherwise unmounting this inode - won't work */ -- .truncate = EIO_ERROR, -- .permission = EIO_ERROR, -- .getattr = EIO_ERROR, -- .setattr = EIO_ERROR, -- .setxattr = EIO_ERROR, -- .getxattr = EIO_ERROR, -- .listxattr = EIO_ERROR, -- .removexattr = EIO_ERROR, -+ /* put_link returns void */ -+ /* truncate returns void */ -+ .permission = bad_inode_permission, -+ .getattr = bad_inode_getattr, -+ .setattr = bad_inode_setattr, -+ .setxattr = bad_inode_setxattr, -+ .getxattr = bad_inode_getxattr, -+ .listxattr = bad_inode_listxattr, -+ .removexattr = bad_inode_removexattr, -+ /* truncate_range returns void */ - }; - - -@@ -90,7 +350,7 @@ - * on it to fail from this point on. - */ - --void make_bad_inode(struct inode * inode) -+void make_bad_inode(struct inode *inode) - { - remove_inode_hash(inode); - -@@ -115,7 +375,7 @@ - * Returns true if the inode in question has been marked as bad. - */ - --int is_bad_inode(struct inode * inode) -+int is_bad_inode(struct inode *inode) - { - return (inode->i_op == &bad_inode_ops); - } diff --git a/debian/patches/series/12 b/debian/patches/series/12 index 371913e93..cf4b4ec01 100644 --- a/debian/patches/series/12 +++ b/debian/patches/series/12 @@ -5,5 +5,4 @@ + bugfix/keys-serial-num-collision.patch + bugfix/ipv6_setsockopt-NULL-deref.patch + bugfix/ipv6_getsockopt_sticky-null-opt.patch -+ bugfix/listxattr-mem-corruption.patch + bugfix/sparc/tcp-sendmsg-t12k-oops-fix.patch