[pve-devel] r5185 - pve-kernel-2.6.18/stable

svn-commits at proxmox.com svn-commits at proxmox.com
Mon Sep 20 14:50:29 CEST 2010


Author: dietmar
Date: 2010-09-20 12:50:28 +0000 (Mon, 20 Sep 2010)
New Revision: 5185

Added:
   pve-kernel-2.6.18/stable/diff-ms-compat_alloc_user_space-exploit-20100917
Modified:
   pve-kernel-2.6.18/stable/Makefile
   pve-kernel-2.6.18/stable/changelog.Debian
Log:


Modified: pve-kernel-2.6.18/stable/Makefile
===================================================================
--- pve-kernel-2.6.18/stable/Makefile	2010-09-20 12:04:15 UTC (rev 5184)
+++ pve-kernel-2.6.18/stable/Makefile	2010-09-20 12:50:28 UTC (rev 5185)
@@ -1,9 +1,9 @@
-RELEASE=1.5
+RELEASE=1.6
 
 # also update kvmdeb/changelog
 KERNEL_VER=2.6.18
-PKGREL=5
-KREL=2
+PKGREL=6
+KREL=3
 
 KERNELSRCRPM=ovzkernel-2.6.18-164.10.1.el5.028stab067.4.src.rpm
 RHKERSRCDIR=rh-kernel-src
@@ -154,6 +154,7 @@
 	cd ${RHKERSRCDIR}; tar xf linux-${KERNEL_VER}.tar.bz2
 	./applyrhpatch.pl ${RHKERSRCDIR} ${RHKERSRCDIR}/${KERNEL_SRC} |tee applyrhpatch.log.tmp
 	diff -u applyrhpatch.log applyrhpatch.log.tmp
+	cd ${RHKERSRCDIR}/${KERNEL_SRC}; patch -p1 <../../diff-ms-compat_alloc_user_space-exploit-20100917
 	mv ${RHKERSRCDIR}/${KERNEL_SRC} ${KERNEL_SRC}.org
 	touch $@
 

Modified: pve-kernel-2.6.18/stable/changelog.Debian
===================================================================
--- pve-kernel-2.6.18/stable/changelog.Debian	2010-09-20 12:04:15 UTC (rev 5184)
+++ pve-kernel-2.6.18/stable/changelog.Debian	2010-09-20 12:50:28 UTC (rev 5185)
@@ -1,3 +1,9 @@
+pve-kernel-2.6.18 (2.6.18-6) unstable; urgency=low
+
+  * fix CVE-2010-3081
+
+ -- Proxmox Support Team <support at proxmox.com>  Mon, 20 Sep 2010 14:49:44 +0200
+
 pve-kernel-2.6.18 (2.6.18-5) unstable; urgency=low
 
   * update to ovzkernel-2.6.18-164.10.1.el5.028stab067.4.src.rpm

Added: pve-kernel-2.6.18/stable/diff-ms-compat_alloc_user_space-exploit-20100917
===================================================================
--- pve-kernel-2.6.18/stable/diff-ms-compat_alloc_user_space-exploit-20100917	                        (rev 0)
+++ pve-kernel-2.6.18/stable/diff-ms-compat_alloc_user_space-exploit-20100917	2010-09-20 12:50:28 UTC (rev 5185)
@@ -0,0 +1,160 @@
+From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa at linux.intel.com>
+Date: Tue, 7 Sep 2010 16:16:18 -0700
+Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok()
+
+compat_alloc_user_space() expects the caller to independently call
+access_ok() to verify the returned area.  A missing call could
+introduce problems on some architectures.
+
+This patch incorporates the access_ok() check into
+compat_alloc_user_space() and also adds a sanity check on the length.
+The existing compat_alloc_user_space() implementations are renamed
+arch_compat_alloc_user_space() and are used as part of the
+implementation of the new global function.
+
+This patch assumes NULL will cause __get_user()/__put_user() to either
+fail or access userspace on all architectures.  This should be
+followed by checking the return value of compat_access_user_space()
+for NULL in the callers, at which time the access_ok() in the callers
+can also be removed.
+
+Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+Acked-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Acked-by: Chris Metcalf <cmetcalf at tilera.com>
+Acked-by: David S. Miller <davem at davemloft.net>
+Acked-by: Ingo Molnar <mingo at elte.hu>
+Acked-by: Thomas Gleixner <tglx at linutronix.de>
+Acked-by: Tony Luck <tony.luck at intel.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Arnd Bergmann <arnd at arndb.de>
+Cc: Fenghua Yu <fenghua.yu at intel.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Helge Deller <deller at gmx.de>
+Cc: James Bottomley <jejb at parisc-linux.org>
+Cc: Kyle McMartin <kyle at mcmartin.ca>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: <stable at kernel.org>
+
+http://seclists.org/fulldisclosure/2010/Sep/268
+https://bugzilla.redhat.com/show_bug.cgi?id=634457
+https://jira.sw.ru/browse/PCLIN-27695
+
+--- ./include/asm-ia64/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-ia64/compat.h	2010-09-17 11:38:16.000000000 +0400
+@@ -196,7 +196,7 @@ ptr_to_compat(void __user *uptr)
+ }
+ 
+ static __inline__ void __user *
+-compat_alloc_user_space (long len)
++arch_compat_alloc_user_space (long len)
+ {
+ 	struct pt_regs *regs = task_pt_regs(current);
+ 	return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
+--- ./include/asm-mips/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-mips/compat.h	2010-09-17 11:38:25.000000000 +0400
+@@ -138,7 +138,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = (struct pt_regs *)
+ 		((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
+--- ./include/asm-parisc/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-parisc/compat.h	2010-09-17 11:38:32.000000000 +0400
+@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = &current->thread.regs;
+ 	return (void __user *)regs->gr[30];
+--- ./include/asm-powerpc/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-powerpc/compat.h	2010-09-17 11:38:37.000000000 +0400
+@@ -131,7 +131,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = current->thread.regs;
+ 	unsigned long usp = regs->gpr[1];
+--- ./include/asm-s390/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-s390/compat.h	2010-09-17 11:38:44.000000000 +0400
+@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	unsigned long stack;
+ 
+--- ./include/asm-sparc64/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-sparc64/compat.h	2010-09-17 11:38:49.000000000 +0400
+@@ -164,7 +164,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = current_thread_info()->kregs;
+ 	unsigned long usp = regs->u_regs[UREG_I6];
+--- ./include/asm-x86_64/compat.h.exp	2006-09-20 07:42:06.000000000 +0400
++++ ./include/asm-x86_64/compat.h	2010-09-17 11:38:55.000000000 +0400
+@@ -196,7 +196,7 @@ static inline compat_uptr_t ptr_to_compa
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = task_pt_regs(current);
+ 	return (void __user *)regs->rsp - len; 
+--- ./kernel/compat.c.exp	2010-08-16 13:51:16.000000000 +0400
++++ ./kernel/compat.c	2010-09-17 12:03:02.000000000 +0400
+@@ -966,3 +966,24 @@ asmlinkage long compat_sys_move_pages(pi
+ 	return sys_move_pages(pid, nr_pages, pages, nodes, status, flags);
+ }
+ #endif
++
++/*
++ * Allocate user-space memory for the duration of a single system call,
++ * in order to marshall parameters inside a compat thunk.
++ */
++void __user *compat_alloc_user_space(unsigned long len)
++{
++	void __user *ptr;
++
++	/* If len would occupy more than half of the entire compat space... */
++	if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
++		return NULL;
++
++	ptr = arch_compat_alloc_user_space(len);
++
++	if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
++		return NULL;
++
++	return ptr;
++}
++EXPORT_SYMBOL(compat_alloc_user_space);
+--- linux-2.6.18/include/linux/compat.h.orig	2010-09-20 14:43:18.000000000 +0200
++++ linux-2.6.18/include/linux/compat.h	2010-09-20 14:45:41.000000000 +0200
+@@ -253,5 +253,7 @@
+                         const compat_sigset_t __user *sigmask,
+                         compat_size_t sigsetsize);
+ 
++extern void __user *compat_alloc_user_space(unsigned long len);
++
+ #endif /* CONFIG_COMPAT */
+ #endif /* _LINUX_COMPAT_H */



More information about the pve-devel mailing list