diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-20 21:44:42 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-20 21:44:42 +0000 |
commit | 38a90ebc4e89c1a69909d3473e1817ceaec55a5a (patch) | |
tree | 70915308f08fc564ced09cb0222bd52e306dd4d0 /sys-kernel/usermode-sources/files | |
parent | Marked ~ppc. (Manifest recommit) (diff) | |
download | gentoo-2-38a90ebc4e89c1a69909d3473e1817ceaec55a5a.tar.gz gentoo-2-38a90ebc4e89c1a69909d3473e1817ceaec55a5a.tar.bz2 gentoo-2-38a90ebc4e89c1a69909d3473e1817ceaec55a5a.zip |
Security fixes - bugs #74384, #74392, #74464.
Diffstat (limited to 'sys-kernel/usermode-sources/files')
-rw-r--r-- | sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r7 (renamed from sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r6) | 0 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1016.patch | 75 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1056.patch | 202 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1137.patch | 77 |
4 files changed, 354 insertions, 0 deletions
diff --git a/sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r6 b/sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r7 index 700dd6829cb4..700dd6829cb4 100644 --- a/sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r6 +++ b/sys-kernel/usermode-sources/files/digest-usermode-sources-2.6.8.1-r7 diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1016.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1016.patch new file mode 100644 index 000000000000..aa25ac95ed61 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1016.patch @@ -0,0 +1,75 @@ +===== include/linux/socket.h 1.12 vs edited ===== +--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00 ++++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00 +@@ -90,6 +90,10 @@ + (struct cmsghdr *)(ctl) : \ + (struct cmsghdr *)NULL) + #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) ++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \ ++ (cmsg)->cmsg_len <= (unsigned long) \ ++ ((mhdr)->msg_controllen - \ ++ ((char *)(cmsg) - (char *)(mhdr)->msg_control))) + + /* + * This mess will go away with glibc +===== net/core/scm.c 1.10 vs edited ===== +--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00 ++++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00 +@@ -127,9 +127,7 @@ + for too short ancillary data object at all! Oops. + OK, let's add it... + */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) ++ if (!CMSG_OK(msg, cmsg)) + goto error; + + if (cmsg->cmsg_level != SOL_SOCKET) +===== net/ipv4/ip_sockglue.c 1.26 vs edited ===== +--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00 ++++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00 +@@ -146,11 +146,8 @@ + struct cmsghdr *cmsg; + + for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) { +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + if (cmsg->cmsg_level != SOL_IP) + continue; + switch (cmsg->cmsg_type) { +===== net/ipv6/datagram.c 1.20 vs edited ===== +--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00 ++++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00 +@@ -427,9 +427,7 @@ + int addr_type; + struct net_device *dev = NULL; + +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) { + err = -EINVAL; + goto exit_f; + } +===== net/sctp/socket.c 1.129 vs edited ===== +--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00 ++++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00 +@@ -4098,12 +4098,8 @@ + for (cmsg = CMSG_FIRSTHDR(msg); + cmsg != NULL; + cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) { +- /* Check for minimum length. The SCM code has this check. */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + + /* Should we parse this header or ignore? */ + if (cmsg->cmsg_level != IPPROTO_SCTP) diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1056.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1056.patch new file mode 100644 index 000000000000..f55ca8372e38 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1056.patch @@ -0,0 +1,202 @@ +diff -ur linux-2.6.7/drivers/char/drm/i810_dma.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.6.7/drivers/char/drm/i810_dma.c 2004-06-16 06:19:12.000000000 +0100 ++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-19 22:52:54.885438960 +0000 +@@ -1034,10 +1034,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_flush_queue(dev); + return 0; +@@ -1059,10 +1056,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1094,10 +1088,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1118,10 +1109,8 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1156,10 +1145,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +@@ -1270,10 +1256,7 @@ + return -EFAULT; + + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (mc.idx >= dma->buf_count || mc.idx < 0) + return -EINVAL; +@@ -1321,10 +1304,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + return I810_READ(0x30008); + } + +@@ -1335,10 +1315,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +@@ -1380,10 +1357,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i810_do_init_pageflip( dev ); +diff -ur linux-2.6.7/drivers/char/drm/i830_dma.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.6.7/drivers/char/drm/i830_dma.c 2004-06-16 06:18:57.000000000 +0100 ++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-19 22:52:54.887438656 +0000 +@@ -1320,10 +1320,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_flush_queue(dev); + return 0; +@@ -1344,10 +1341,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1374,10 +1368,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1399,10 +1390,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1443,10 +1431,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1485,10 +1470,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +diff -ur linux-2.6.7/drivers/char/drm/i830_irq.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.6.7/drivers/char/drm/i830_irq.c 2004-06-16 06:19:44.000000000 +0100 ++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-19 22:52:54.887438656 +0000 +@@ -129,10 +129,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1137.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1137.patch new file mode 100644 index 000000000000..0a54680f6f4b --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.6.CAN-2004-1137.patch @@ -0,0 +1,77 @@ +# ChangeSet +# 2004/12/14 11:06:25-08:00 chrisw@osdl.org +# [IPV4/IPV6]: IGMP source filter fixes +# +# When adding or deleting from the source list make sure to find matches +# by comparing against the new source address, not the group address. +# Also, check each addr in the list rather than just the first one. +# And, finally, only delete from list when there's a match rather than +# vice-versa. Drop the effort to keep list sorted, since it's not done +# on full-state api and can create an sl_addr entry that the delta api +# won't be able to delete. Without these fixes sl_count can be corrupted +# which can allow for kernel memory corruption. +# +# Signed-off-by: Chris Wright <chrisw@osdl.org> +# Signed-off-by: David S. Miller <davem@davemloft.net> +# +diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c +--- a/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00 ++++ b/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00 +@@ -1778,12 +1778,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -1825,9 +1825,9 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ +diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c +--- a/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00 ++++ b/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00 +@@ -391,12 +391,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, ++ rv = memcmp(&psl->sl_addr[i], source, + sizeof(struct in6_addr)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -437,8 +437,8 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr)); +- if (rv >= 0) ++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr)); ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ |