rpms/kernel/F-10 add-fno-delete-null-pointer-checks-to-gcc-cflags.patch, NONE, 1.1 personality-fix-per_clear_on_setid.patch, NONE, 1.1 security-use-mmap_min_addr-indepedently-of-security-models.patch, NONE, 1.1 config-generic, 1.231, 1.232 kernel.spec, 1.1397, 1.1398
Chuck Ebbert
cebbert at fedoraproject.org
Mon Aug 17 13:50:46 UTC 2009
- Previous message (by thread): rpms/nagios/devel .cvsignore, 1.19, 1.20 nagios.spec, 1.72, 1.73 sources, 1.20, 1.21
- Next message (by thread): rpms/glibc/devel .cvsignore, 1.280, 1.281 glibc-fedora.patch, 1.314, 1.315 glibc.spec, 1.407, 1.408 import.log, 1.23, 1.24 sources, 1.305, 1.306
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15467
Modified Files:
config-generic kernel.spec
Added Files:
add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
personality-fix-per_clear_on_setid.patch
security-use-mmap_min_addr-indepedently-of-security-models.patch
Log Message:
More security fixes from the F-11 2.6.29.6 kernel.
add-fno-delete-null-pointer-checks-to-gcc-cflags.patch:
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE add-fno-delete-null-pointer-checks-to-gcc-cflags.patch ---
>From a3ca86aea507904148870946d599e07a340b39bf Mon Sep 17 00:00:00 2001
From: Eugene Teo <eteo at redhat.com>
Date: Wed, 15 Jul 2009 14:59:10 +0800
Subject: Add '-fno-delete-null-pointer-checks' to gcc CFLAGS
From: Eugene Teo <eteo at redhat.com>
commit a3ca86aea507904148870946d599e07a340b39bf upstream.
Turning on this flag could prevent the compiler from optimising away
some "useless" checks for null pointers. Such bugs can sometimes become
exploitable at compile time because of the -O2 optimisation.
See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html
An example that clearly shows this 'problem' is commit 6bf67672.
static void __devexit agnx_pci_remove(struct pci_dev *pdev)
{
struct ieee80211_hw *dev = pci_get_drvdata(pdev);
- struct agnx_priv *priv = dev->priv;
+ struct agnx_priv *priv;
AGNX_TRACE;
if (!dev)
return;
+ priv = dev->priv;
By reverting this patch, and compile it with and without
-fno-delete-null-pointer-checks flag, we can see that the check for dev
is compiled away.
call printk #
- testq %r12, %r12 # dev
- je .L94 #,
movq %r12, %rdi # dev,
Clearly the 'fix' is to stop using dev before it is tested, but building
with -fno-delete-null-pointer-checks flag at least makes it harder to
abuse.
Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
Acked-by: Eric Paris <eparis at redhat.com>
Acked-by: Wang Cong <amwang at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXI
KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
-fno-strict-aliasing -fno-common \
- -Werror-implicit-function-declaration
+ -Werror-implicit-function-declaration \
+ -fno-delete-null-pointer-checks
KBUILD_AFLAGS := -D__ASSEMBLY__
# Read KERNELRELEASE from include/config/kernel.release (if it exists)
personality-fix-per_clear_on_setid.patch:
personality.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- NEW FILE personality-fix-per_clear_on_setid.patch ---
>From f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Mon Sep 17 00:00:00 2001
From: Julien Tinnes <jt at cr0.org>
Date: Fri, 26 Jun 2009 20:27:40 +0200
Subject: personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
From: Julien Tinnes <jt at cr0.org>
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.
We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:
- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.
Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
Signed-off-by: Julien Tinnes <jt at cr0.org>
Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
Acked-by: Christoph Hellwig <hch at infradead.org>
Acked-by: Kees Cook <kees at ubuntu.com>
Acked-by: Eugene Teo <eugene at redhat.com>
[ Shortened lines and fixed whitespace as per Christophs' suggestion ]
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
include/linux/personality.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/include/linux/personality.h
+++ b/include/linux/personality.h
@@ -40,7 +40,10 @@ enum {
* Security-relevant compatibility flags that must be
* cleared upon setuid or setgid exec:
*/
-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
+#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
+ ADDR_NO_RANDOMIZE | \
+ ADDR_COMPAT_LAYOUT | \
+ MMAP_PAGE_ZERO)
/*
* Personality types.
security-use-mmap_min_addr-indepedently-of-security-models.patch:
include/linux/mm.h | 2 --
include/linux/security.h | 2 ++
kernel/sysctl.c | 2 --
mm/Kconfig | 18 ++++++++++++++++++
mm/mmap.c | 3 +++
security/Kconfig | 22 +---------------------
security/security.c | 3 ---
7 files changed, 24 insertions(+), 28 deletions(-)
--- NEW FILE security-use-mmap_min_addr-indepedently-of-security-models.patch ---
>From e0a94c2a63f2644826069044649669b5e7ca75d3 Mon Sep 17 00:00:00 2001
From: Christoph Lameter <cl at linux-foundation.org>
Date: Wed, 3 Jun 2009 16:04:31 -0400
Subject: security: use mmap_min_addr indepedently of security models
From: Christoph Lameter <cl at linux-foundation.org>
commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream.
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
It also sets a default mmap_min_addr of 4096.
mmapping of addresses below 4096 will only be possible for processes
with CAP_SYS_RAWIO.
Signed-off-by: Christoph Lameter <cl at linux-foundation.org>
Acked-by: Eric Paris <eparis at redhat.com>
Looks-ok-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: James Morris <jmorris at namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
include/linux/mm.h | 2 --
include/linux/security.h | 2 ++
kernel/sysctl.c | 2 --
mm/Kconfig | 19 +++++++++++++++++++
mm/mmap.c | 3 +++
security/Kconfig | 22 +---------------------
security/security.c | 3 ---
7 files changed, 25 insertions(+), 28 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -580,12 +580,10 @@ static inline void set_page_links(struct
*/
static inline unsigned long round_hint_to_min(unsigned long hint)
{
-#ifdef CONFIG_SECURITY
hint &= PAGE_MASK;
if (((void *)hint != NULL) &&
(hint < mmap_min_addr))
return PAGE_ALIGN(mmap_min_addr);
-#endif
return hint;
}
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(str
unsigned long addr,
unsigned long addr_only)
{
+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ return -EACCES;
return 0;
}
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1225,7 +1225,6 @@ static struct ctl_table vm_table[] = {
.strategy = &sysctl_jiffies,
},
#endif
-#ifdef CONFIG_SECURITY
{
.ctl_name = CTL_UNNUMBERED,
.procname = "mmap_min_addr",
@@ -1234,7 +1233,6 @@ static struct ctl_table vm_table[] = {
.mode = 0644,
.proc_handler = &proc_doulongvec_minmax,
},
-#endif
#ifdef CONFIG_NUMA
{
.ctl_name = CTL_UNNUMBERED,
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -216,3 +216,21 @@ config HAVE_MLOCKED_PAGE_BIT
config MMU_NOTIFIER
bool
+
+config DEFAULT_MMAP_MIN_ADDR
+ int "Low address space to protect from user allocation"
+ default 4096
+ help
+ This is the portion of low virtual memory which should be protected
+ from userspace allocation. Keeping a user from writing to low pages
+ can help reduce the impact of kernel NULL pointer bugs.
+
+ For most ia64, ppc64 and x86 users with lots of address space
+ a value of 65536 is reasonable and should cause no problems.
+ On arm and other archs it should not be higher than 32768.
+ Programs which use vm86 functionality would either need additional
+ permissions from either the LSM or the capabilities module or have
+ this protection disabled.
+
+ This value can be changed after boot using the
+ /proc/sys/vm/mmap_min_addr tunable.
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -87,6 +87,9 @@ int sysctl_overcommit_ratio = 50; /* def
int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
struct percpu_counter vm_committed_as;
+/* amount of vm to protect from userspace access */
+unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+
/*
* Check that a process has enough memory to allocate a new virtual
* mapping. 0 means there is enough memory for the allocation to
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -110,28 +110,8 @@ config SECURITY_ROOTPLUG
See <http://www.linuxjournal.com/article.php?sid=6279> for
more information about this module.
-
- If you are unsure how to answer this question, answer N.
-
-config SECURITY_DEFAULT_MMAP_MIN_ADDR
- int "Low address space to protect from user allocation"
- depends on SECURITY
- default 0
- help
- This is the portion of low virtual memory which should be protected
- from userspace allocation. Keeping a user from writing to low pages
- can help reduce the impact of kernel NULL pointer bugs.
-
- For most ia64, ppc64 and x86 users with lots of address space
- a value of 65536 is reasonable and should cause no problems.
- On arm and other archs it should not be higher than 32768.
- Programs which use vm86 functionality would either need additional
- permissions from either the LSM or the capabilities module or have
- this protection disabled.
-
- This value can be changed after boot using the
- /proc/sys/vm/mmap_min_addr tunable.
+ If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
source security/smack/Kconfig
--- a/security/security.c
+++ b/security/security.c
@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
struct security_operations *security_ops; /* Initialized to NULL */
-/* amount of vm to protect from userspace access */
-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
-
static inline int verify(struct security_operations *ops)
{
/* verify the security_operations structure exists */
Index: config-generic
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/config-generic,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -p -r1.231 -r1.232
--- config-generic 16 Jun 2009 05:25:44 -0000 1.231
+++ config-generic 17 Aug 2009 13:50:45 -0000 1.232
@@ -3332,7 +3332,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
-CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
# CONFIG_SECURITY_SMACK is not set
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1397
retrieving revision 1.1398
diff -u -p -r1.1397 -r1.1398
--- kernel.spec 15 Aug 2009 04:32:10 -0000 1.1397
+++ kernel.spec 17 Aug 2009 13:50:45 -0000 1.1398
@@ -753,6 +753,10 @@ Patch11000: linux-2.6-parport-quickfix-t
Patch11100: linux-2.6-dev-zero-avoid-oom-lockup.patch
Patch11020: linux-2.6-usb-remove-low-latency-hack.patch
Patch11030: linux-2.6-x86-delay-tsc-barrier.patch
+# security fixes from the F-11 2.6.29.6 kernel
+Patch11040: add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
+Patch11050: security-use-mmap_min_addr-indepedently-of-security-models.patch
+Patch11060: personality-fix-per_clear_on_setid.patch
%endif
@@ -1417,6 +1421,13 @@ ApplyPatch linux-2.6-usb-remove-low-late
# fix broken tsc delay code
ApplyPatch linux-2.6-x86-delay-tsc-barrier.patch
+# security fixes from the F-11 2.6.29.6 kernel
+# fix test-after-use of null pointers
+ApplyPatch add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
+# mmap zero page fixes
+ApplyPatch security-use-mmap_min_addr-indepedently-of-security-models.patch
+ApplyPatch personality-fix-per_clear_on_setid.patch
+
# ======= END OF PATCH APPLICATIONS =============================
%endif
@@ -1993,6 +2004,9 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Mon Aug 17 2009 Chuck Ebbert <cebbert at redhat.com> kernel-2.6.29.6-98
+- More security fixes from the F-11 2.6.29.6 kernel.
+
* Sat Aug 15 2009 Kyle McMartin <kyle at redhat.com> 2.6.29.6-96
- For F-10-updates-testing:
- CVE-2009-2767: Fix clock_nanosleep NULL ptr deref.
- Previous message (by thread): rpms/nagios/devel .cvsignore, 1.19, 1.20 nagios.spec, 1.72, 1.73 sources, 1.20, 1.21
- Next message (by thread): rpms/glibc/devel .cvsignore, 1.280, 1.281 glibc-fedora.patch, 1.314, 1.315 glibc.spec, 1.407, 1.408 import.log, 1.23, 1.24 sources, 1.305, 1.306
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list