Patch shuffle...

Looks like we'll be doing a stable-security upload before a stable upload. Postpone the ABI changing security fix till the stable upload (which includes its own ABI breaker), and include the non-ABI changing fix in stable-security upload. svn path=/dists/etch-security/linux-2.6/; revision=8427
author: dann frazier <dannf@debian.org> 2007-04-06 20:29:20 +0000
committer: dann frazier <dannf@debian.org> 2007-04-06 20:29:20 +0000
commit: e1c93de617159a6c2a8c9fa3917d9b3bd36edb54 (patch)
tree: fd5ff9c76b524924b55a8396ea4ab5e20383e753
parent: 6fda70ba00a34a04b5a9aa39e7a8b858484d28c5 (diff)
download: kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.tar.gz
kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.tar.bz2
kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.zip
3 files changed, 0 insertions, 447 deletions
diff --git a/debian/changelog b/debian/changelog
index c17640dd83d5..915eda8056a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,5 @@
 linux-2.6 (2.6.18.dfsg.1-12etch1) UNRELEASED; urgency=low
 
-  * bugfix/listxattr-mem-corruption.patch
-    [SECURITY] Fix userspace corruption vulnerability caused by
-    incorrectly promoted return values in bad_inode_ops
-    This patch changes the kernel ABI.
-    See CVE-2006-5753
   * bugfix/core-dump-unreadable-PT_INTERP.patch
     [SECURITY] Fix a vulnerability that allows local users to read
     otherwise unreadable (but executable) files by triggering a core dump.
diff --git a/debian/patches/bugfix/listxattr-mem-corruption.patch b/debian/patches/bugfix/listxattr-mem-corruption.patch
deleted file mode 100644
index 10f37da8aed6..000000000000
--- a/debian/patches/bugfix/listxattr-mem-corruption.patch
+++ /dev/null
@@ -1,441 +0,0 @@
-From: Eric Sandeen <sandeen@redhat.com>
-Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800)
-Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
-X-Git-Tag: v2.6.20-rc4~60
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837
-
-[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
-
-CVE-2006-5753 is for a case where an inode can be marked bad, switching
-the ops to bad_inode_ops, which are all connected as:
-
-static int return_EIO(void)
-{
-        return -EIO;
-}
-
-#define EIO_ERROR ((void *) (return_EIO))
-
-static struct inode_operations bad_inode_ops =
-{
-        .create         = bad_inode_create
-...etc...
-
-The problem here is that the void cast causes return types to not be
-promoted, and for ops such as listxattr which expect more than 32 bits of
-return value, the 32-bit -EIO is interpreted as a large positive 64-bit
-number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
-
-This goes particularly badly when the return value is taken as a number of
-bytes to copy into, say, a user's buffer for example...
-
-I originally had coded up the fix by creating a return_EIO_<TYPE> macro
-for each return type, like this:
-
-static int return_EIO_int(void)
-{
-	return -EIO;
-}
-#define EIO_ERROR_INT ((void *) (return_EIO_int))
-
-static struct inode_operations bad_inode_ops =
-{
-	.create		= EIO_ERROR_INT,
-...etc...
-
-but Al felt that it was probably better to create an EIO-returner for each
-actual op signature.  Since so few ops share a signature, I just went ahead
-& created an EIO function for each individual file & inode op that returns
-a value.
-
-Signed-off-by: Eric Sandeen <sandeen@redhat.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Andrew Morton <akpm@osdl.org>
-Signed-off-by: Linus Torvalds <torvalds@osdl.org>
----
-
-Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
-
---- linux-source-2.6.18/fs/bad_inode.c.orig	2006-09-19 21:42:06.000000000 -0600
-+++ linux-source-2.6.18/fs/bad_inode.c	2007-03-19 20:56:08.000000000 -0600
-@@ -14,61 +14,321 @@
- #include <linux/time.h>
- #include <linux/smp_lock.h>
- #include <linux/namei.h>
-+#include <linux/poll.h>
- 
--static int return_EIO(void)
-+
-+static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_read(struct file *filp, char __user *buf,
-+			size_t size, loff_t *ppos)
-+{
-+        return -EIO;
-+}
-+
-+static ssize_t bad_file_write(struct file *filp, const char __user *buf,
-+			size_t siz, loff_t *ppos)
-+{
-+        return -EIO;
-+}
-+
-+static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf,
-+				 size_t siz, loff_t pos)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf,
-+			size_t siz, loff_t pos)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir)
-+{
-+	return -EIO;
-+}
-+
-+static unsigned int bad_file_poll(struct file *filp, poll_table *wait)
-+{
-+	return POLLERR;
-+}
-+
-+static int bad_file_ioctl (struct inode *inode, struct file *filp,
-+			unsigned int cmd, unsigned long arg)
-+{
-+	return -EIO;
-+}
-+
-+static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd,
-+			unsigned long arg)
-+{
-+	return -EIO;
-+}
-+
-+static long bad_file_compat_ioctl(struct file *file, unsigned int cmd,
-+			unsigned long arg)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_mmap(struct file *file, struct vm_area_struct *vma)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_open(struct inode *inode, struct file *filp)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_flush(struct file *file, fl_owner_t id)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_release(struct inode *inode, struct file *filp)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_fsync(struct file *file, struct dentry *dentry,
-+			int datasync)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_aio_fsync(struct kiocb *iocb, int datasync)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_fasync(int fd, struct file *filp, int on)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov,
-+			unsigned long nr_segs, loff_t *ppos)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov,
-+			unsigned long nr_segs, loff_t *ppos)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos,
-+			size_t count, read_actor_t actor, void *target)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_sendpage(struct file *file, struct page *page,
-+			int off, size_t len, loff_t *pos, int more)
-+{
-+	return -EIO;
-+}
-+
-+static unsigned long bad_file_get_unmapped_area(struct file *file,
-+				unsigned long addr, unsigned long len,
-+				unsigned long pgoff, unsigned long flags)
- {
- 	return -EIO;
- }
- 
--#define EIO_ERROR ((void *) (return_EIO))
-+static int bad_file_check_flags(int flags)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_dir_notify(struct file *file, unsigned long arg)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe,
-+			struct file *out, loff_t *ppos, size_t len,
-+			unsigned int flags)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos,
-+			struct pipe_inode_info *pipe, size_t len,
-+			unsigned int flags)
-+{
-+	return -EIO;
-+}
- 
- static const struct file_operations bad_file_ops =
- {
--	.llseek		= EIO_ERROR,
--	.aio_read	= EIO_ERROR,
--	.read		= EIO_ERROR,
--	.write		= EIO_ERROR,
--	.aio_write	= EIO_ERROR,
--	.readdir	= EIO_ERROR,
--	.poll		= EIO_ERROR,
--	.ioctl		= EIO_ERROR,
--	.mmap		= EIO_ERROR,
--	.open		= EIO_ERROR,
--	.flush		= EIO_ERROR,
--	.release	= EIO_ERROR,
--	.fsync		= EIO_ERROR,
--	.aio_fsync	= EIO_ERROR,
--	.fasync		= EIO_ERROR,
--	.lock		= EIO_ERROR,
--	.readv		= EIO_ERROR,
--	.writev		= EIO_ERROR,
--	.sendfile	= EIO_ERROR,
--	.sendpage	= EIO_ERROR,
--	.get_unmapped_area = EIO_ERROR,
-+	.llseek		= bad_file_llseek,
-+	.read		= bad_file_read,
-+	.write		= bad_file_write,
-+	.aio_read	= bad_file_aio_read,
-+	.aio_write	= bad_file_aio_write,
-+	.readdir	= bad_file_readdir,
-+	.poll		= bad_file_poll,
-+	.ioctl		= bad_file_ioctl,
-+	.unlocked_ioctl	= bad_file_unlocked_ioctl,
-+	.compat_ioctl	= bad_file_compat_ioctl,
-+	.mmap		= bad_file_mmap,
-+	.open		= bad_file_open,
-+	.flush		= bad_file_flush,
-+	.release	= bad_file_release,
-+	.fsync		= bad_file_fsync,
-+	.aio_fsync	= bad_file_aio_fsync,
-+	.fasync		= bad_file_fasync,
-+	.lock		= bad_file_lock,
-+	.readv		= bad_file_readv,
-+	.writev		= bad_file_writev,
-+	.sendfile	= bad_file_sendfile,
-+	.sendpage	= bad_file_sendpage,
-+	.get_unmapped_area = bad_file_get_unmapped_area,
-+	.check_flags	= bad_file_check_flags,
-+	.dir_notify	= bad_file_dir_notify,
-+	.flock		= bad_file_flock,
-+	.splice_write	= bad_file_splice_write,
-+	.splice_read	= bad_file_splice_read,
- };
- 
-+static int bad_inode_create (struct inode *dir, struct dentry *dentry,
-+		int mode, struct nameidata *nd)
-+{
-+	return -EIO;
-+}
-+
-+static struct dentry *bad_inode_lookup(struct inode *dir,
-+			struct dentry *dentry, struct nameidata *nd)
-+{
-+	return ERR_PTR(-EIO);
-+}
-+
-+static int bad_inode_link (struct dentry *old_dentry, struct inode *dir,
-+		struct dentry *dentry)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_unlink(struct inode *dir, struct dentry *dentry)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_symlink (struct inode *dir, struct dentry *dentry,
-+		const char *symname)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry,
-+			int mode)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_mknod (struct inode *dir, struct dentry *dentry,
-+			int mode, dev_t rdev)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry,
-+		struct inode *new_dir, struct dentry *new_dentry)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_readlink(struct dentry *dentry, char __user *buffer,
-+		int buflen)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_permission(struct inode *inode, int mask,
-+			struct nameidata *nd)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry,
-+			struct kstat *stat)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_setxattr(struct dentry *dentry, const char *name,
-+		const void *value, size_t size, int flags)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name,
-+			void *buffer, size_t size)
-+{
-+	return -EIO;
-+}
-+
-+static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer,
-+			size_t buffer_size)
-+{
-+	return -EIO;
-+}
-+
-+static int bad_inode_removexattr(struct dentry *dentry, const char *name)
-+{
-+	return -EIO;
-+}
-+
- static struct inode_operations bad_inode_ops =
- {
--	.create		= EIO_ERROR,
--	.lookup		= EIO_ERROR,
--	.link		= EIO_ERROR,
--	.unlink		= EIO_ERROR,
--	.symlink	= EIO_ERROR,
--	.mkdir		= EIO_ERROR,
--	.rmdir		= EIO_ERROR,
--	.mknod		= EIO_ERROR,
--	.rename		= EIO_ERROR,
--	.readlink	= EIO_ERROR,
-+	.create		= bad_inode_create,
-+	.lookup		= bad_inode_lookup,
-+	.link		= bad_inode_link,
-+	.unlink		= bad_inode_unlink,
-+	.symlink	= bad_inode_symlink,
-+	.mkdir		= bad_inode_mkdir,
-+	.rmdir		= bad_inode_rmdir,
-+	.mknod		= bad_inode_mknod,
-+	.rename		= bad_inode_rename,
-+	.readlink	= bad_inode_readlink,
- 	/* follow_link must be no-op, otherwise unmounting this inode
- 	   won't work */
--	.truncate	= EIO_ERROR,
--	.permission	= EIO_ERROR,
--	.getattr	= EIO_ERROR,
--	.setattr	= EIO_ERROR,
--	.setxattr	= EIO_ERROR,
--	.getxattr	= EIO_ERROR,
--	.listxattr	= EIO_ERROR,
--	.removexattr	= EIO_ERROR,
-+	/* put_link returns void */
-+	/* truncate returns void */
-+	.permission	= bad_inode_permission,
-+	.getattr	= bad_inode_getattr,
-+	.setattr	= bad_inode_setattr,
-+	.setxattr	= bad_inode_setxattr,
-+	.getxattr	= bad_inode_getxattr,
-+	.listxattr	= bad_inode_listxattr,
-+	.removexattr	= bad_inode_removexattr,
-+	/* truncate_range returns void */
- };
- 
- 
-@@ -90,7 +350,7 @@
-  *	on it to fail from this point on.
-  */
-  
--void make_bad_inode(struct inode * inode) 
-+void make_bad_inode(struct inode *inode)
- {
- 	remove_inode_hash(inode);
- 
-@@ -115,7 +375,7 @@
-  *	Returns true if the inode in question has been marked as bad.
-  */
-  
--int is_bad_inode(struct inode * inode) 
-+int is_bad_inode(struct inode *inode)
- {
- 	return (inode->i_op == &bad_inode_ops);	
- }
diff --git a/debian/patches/series/12etch1 b/debian/patches/series/12etch1
index 18c5e89a73c1..f0cf6d5e47cc 100644
--- a/debian/patches/series/12etch1
+++ b/debian/patches/series/12etch1
@@ -1,2 +1 @@
-+ bugfix/listxattr-mem-corruption.patch
 + bugfix/core-dump-unreadable-PT_INTERP.patch
author	dann frazier <dannf@debian.org>	2007-04-06 20:29:20 +0000
committer	dann frazier <dannf@debian.org>	2007-04-06 20:29:20 +0000
commit	e1c93de617159a6c2a8c9fa3917d9b3bd36edb54 (patch)
tree	fd5ff9c76b524924b55a8396ea4ab5e20383e753
parent	6fda70ba00a34a04b5a9aa39e7a8b858484d28c5 (diff)
download	kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.tar.gz kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.tar.bz2 kernel_replicant_linux-e1c93de617159a6c2a8c9fa3917d9b3bd36edb54.zip