security fixes from git head

5 files changed, 399 insertions, 1 deletions

diff --git a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
new file mode 100644
index 0000000..f0ecb03
--- /dev/null
+++ b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
@@ -0,0 +1,189 @@
+From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@linux.intel.com>
+Date: Tue, 7 Sep 2010 16:16:18 -0700
+Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok()
+
+compat_alloc_user_space() expects the caller to independently call
+access_ok() to verify the returned area.  A missing call could
+introduce problems on some architectures.
+
+This patch incorporates the access_ok() check into
+compat_alloc_user_space() and also adds a sanity check on the length.
+The existing compat_alloc_user_space() implementations are renamed
+arch_compat_alloc_user_space() and are used as part of the
+implementation of the new global function.
+
+This patch assumes NULL will cause __get_user()/__put_user() to either
+fail or access userspace on all architectures.  This should be
+followed by checking the return value of compat_access_user_space()
+for NULL in the callers, at which time the access_ok() in the callers
+can also be removed.
+
+Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Chris Metcalf <cmetcalf@tilera.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: James Bottomley <jejb@parisc-linux.org>
+Cc: Kyle McMartin <kyle@mcmartin.ca>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: <stable@kernel.org>
+---
+ arch/ia64/include/asm/compat.h    |    2 +-
+ arch/mips/include/asm/compat.h    |    2 +-
+ arch/parisc/include/asm/compat.h  |    2 +-
+ arch/powerpc/include/asm/compat.h |    2 +-
+ arch/s390/include/asm/compat.h    |    2 +-
+ arch/sparc/include/asm/compat.h   |    2 +-
+ arch/x86/include/asm/compat.h     |    2 +-
+ include/linux/compat.h            |    3 +++
+ kernel/compat.c                   |   21 +++++++++++++++++++++
+ 10 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
+index f90edc8..9301a28 100644
+--- a/arch/ia64/include/asm/compat.h
++++ b/arch/ia64/include/asm/compat.h
+@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
+ }
+ 
+ static __inline__ void __user *
+-compat_alloc_user_space (long len)
++arch_compat_alloc_user_space (long len)
+ {
+ 	struct pt_regs *regs = task_pt_regs(current);
+ 	return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
+diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
+index 613f691..dbc5106 100644
+--- a/arch/mips/include/asm/compat.h
++++ b/arch/mips/include/asm/compat.h
+@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = (struct pt_regs *)
+ 		((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
+diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
+index 02b77ba..efa0b60 100644
+--- a/arch/parisc/include/asm/compat.h
++++ b/arch/parisc/include/asm/compat.h
+@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = &current->thread.regs;
+ 	return (void __user *)regs->gr[30];
+diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
+index 396d21a..a11d4ea 100644
+--- a/arch/powerpc/include/asm/compat.h
++++ b/arch/powerpc/include/asm/compat.h
+@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = current->thread.regs;
+ 	unsigned long usp = regs->gpr[1];
+diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
+index 104f200..a875c2f 100644
+--- a/arch/s390/include/asm/compat.h
++++ b/arch/s390/include/asm/compat.h
+@@ -181,7 +181,7 @@ static inline int is_compat_task(void)
+ 
+ #endif
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	unsigned long stack;
+ 
+diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
+index 5016f76..6f57325 100644
+--- a/arch/sparc/include/asm/compat.h
++++ b/arch/sparc/include/asm/compat.h
+@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = current_thread_info()->kregs;
+ 	unsigned long usp = regs->u_regs[UREG_I6];
+diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
+index 306160e..1d9cd27 100644
+--- a/arch/x86/include/asm/compat.h
++++ b/arch/x86/include/asm/compat.h
+@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ 	return (u32)(unsigned long)uptr;
+ }
+ 
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ 	struct pt_regs *regs = task_pt_regs(current);
+ 	return (void __user *)regs->sp - len;
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 9ddc878..5778b55 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvector(int type,
+ 		const struct compat_iovec __user *uvector, unsigned long nr_segs,
+ 		unsigned long fast_segs, struct iovec *fast_pointer,
+ 		struct iovec **ret_pointer);
++
++extern void __user *compat_alloc_user_space(unsigned long len);
++
+ #endif /* CONFIG_COMPAT */
+ #endif /* _LINUX_COMPAT_H */
+diff --git a/kernel/compat.c b/kernel/compat.c
+index e167efc..c9e2ec0 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -1126,3 +1126,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
+ 
+ 	return 0;
+ }
++
++/*
++ * Allocate user-space memory for the duration of a single system call,
++ * in order to marshall parameters inside a compat thunk.
++ */
++void __user *compat_alloc_user_space(unsigned long len)
++{
++	void __user *ptr;
++
++	/* If len would occupy more than half of the entire compat space... */
++	if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
++		return NULL;
++
++	ptr = arch_compat_alloc_user_space(len);
++
++	if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
++		return NULL;
++
++	return ptr;
++}
++EXPORT_SYMBOL_GPL(compat_alloc_user_space);
+-- 
+1.7.2.3
+
diff --git a/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/02-compat-test-rax-for-the-system-call-number-not-eax.patch
new file mode 100644
index 0000000..15ff0ca
--- /dev/null
+++ b/02-compat-test-rax-for-the-system-call-number-not-eax.patch
@@ -0,0 +1,97 @@
+From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@linux.intel.com>
+Date: Tue, 14 Sep 2010 12:42:41 -0700
+Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax
+
+On 64 bits, we always, by necessity, jump through the system call
+table via %rax.  For 32-bit system calls, in theory the system call
+number is stored in %eax, and the code was testing %eax for a valid
+system call number.  At one point we loaded the stored value back from
+the stack to enforce zero-extension, but that was removed in checkin
+d4d67150165df8bf1cc05e532f6efca96f907cab.  An actual 32-bit process
+will not be able to introduce a non-zero-extended number, but it can
+happen via ptrace.
+
+Instead of re-introducing the zero-extension, test what we are
+actually going to use, i.e. %rax.  This only adds a handful of REX
+prefixes to the code.
+
+Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: <stable@kernel.org>
+Cc: Roland McGrath <roland@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+---
+ arch/x86/ia32/ia32entry.S |   14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index b86feab..84e3a4e 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
+ 	testl  $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	CFI_REMEMBER_STATE
+ 	jnz  sysenter_tracesys
+-	cmpl	$(IA32_NR_syscalls-1),%eax
++	cmpq	$(IA32_NR_syscalls-1),%rax
+ 	ja	ia32_badsys
+ sysenter_do_call:
+ 	IA32_ARG_FIXUP
+@@ -195,7 +195,7 @@ sysexit_from_sys_call:
+ 	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
+ 	call audit_syscall_entry
+ 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja ia32_badsys
+ 	movl %ebx,%edi			/* reload 1st syscall arg */
+ 	movl RCX-ARGOFFSET(%rsp),%esi	/* reload 2nd syscall arg */
+@@ -248,7 +248,7 @@ sysenter_tracesys:
+ 	call	syscall_trace_enter
+ 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+-	cmpl	$(IA32_NR_syscalls-1),%eax
++	cmpq	$(IA32_NR_syscalls-1),%rax
+ 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ 	jmp	sysenter_do_call
+ 	CFI_ENDPROC
+@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	CFI_REMEMBER_STATE
+ 	jnz   cstar_tracesys
+-	cmpl $IA32_NR_syscalls-1,%eax
++	cmpq $IA32_NR_syscalls-1,%rax
+ 	ja  ia32_badsys
+ cstar_do_call:
+ 	IA32_ARG_FIXUP 1
+@@ -367,7 +367,7 @@ cstar_tracesys:
+ 	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+ 	xchgl %ebp,%r9d
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ 	jmp cstar_do_call
+ END(ia32_cstar_target)
+@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
+ 	orl   $TS_COMPAT,TI_status(%r10)
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	jnz ia32_tracesys
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja ia32_badsys
+ ia32_do_call:
+ 	IA32_ARG_FIXUP
+@@ -444,7 +444,7 @@ ia32_tracesys:
+ 	call syscall_trace_enter
+ 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
+ 	jmp ia32_do_call
+ END(ia32_syscall)
+-- 
+1.7.2.3
+
diff --git a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
new file mode 100644
index 0000000..b7fa739
--- /dev/null
+++ b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
@@ -0,0 +1,49 @@
+From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 14 Sep 2010 12:22:58 -0700
+Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
+
+In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
+32-bit tracee in system call entry.  A %rax value set via ptrace at the
+entry tracing stop gets used whole as a 32-bit syscall number, while we
+only check the low 32 bits for validity.
+
+Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
+in addition to testing the full 64 bits as has already been added.
+
+Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+---
+ arch/x86/ia32/ia32entry.S |    8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index 84e3a4e..518bb99 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -50,7 +50,12 @@
+ 	/*
+ 	 * Reload arg registers from stack in case ptrace changed them.
+ 	 * We don't reload %eax because syscall_trace_enter() returned
+-	 * the value it wants us to use in the table lookup.
++	 * the %rax value we should see.  Instead, we just truncate that
++	 * value to 32 bits again as we did on entry from user mode.
++	 * If it's a new value set by user_regset during entry tracing,
++	 * this matches the normal truncation of the user-mode value.
++	 * If it's -1 to make us punt the syscall, then (u32)-1 is still
++	 * an appropriately invalid value.
+ 	 */
+ 	.macro LOAD_ARGS32 offset, _r9=0
+ 	.if \_r9
+@@ -60,6 +65,7 @@
+ 	movl \offset+48(%rsp),%edx
+ 	movl \offset+56(%rsp),%esi
+ 	movl \offset+64(%rsp),%edi
++	movl %eax,%eax			/* zero extension */
+ 	.endm
+ 	
+ 	.macro CFI_STARTPROC32 simple
+-- 
+1.7.2.3
+
diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch
new file mode 100644
index 0000000..36b949c
--- /dev/null
+++ b/aio-check-for-multiplication-overflow-in-do_io_submit.patch
@@ -0,0 +1,47 @@
+From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer@redhat.com>
+Date: Fri, 10 Sep 2010 14:16:00 -0700
+Subject: [PATCH] aio: check for multiplication overflow in do_io_submit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Tavis Ormandy pointed out that do_io_submit does not do proper bounds
+checking on the passed-in iocb array:
+
+       if (unlikely(nr < 0))
+               return -EINVAL;
+
+       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
+               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
+
+The attached patch checks for overflow, and if it is detected, the
+number of iocbs submitted is scaled down to a number that will fit in
+the long.  This is an ok thing to do, as sys_io_submit is documented as
+returning the number of iocbs submitted, so callers should handle a
+return value of less than the 'nr' argument passed in.
+
+Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/aio.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 3006b5b..1320b2a 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr,
+ 	if (unlikely(nr < 0))
+ 		return -EINVAL;
+ 
++	if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
++		nr = LONG_MAX/sizeof(*iocbpp);
++
+ 	if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
+ 		return -EFAULT;
+ 
+-- 
+1.7.2.3
+
diff --git a/kernel.spec b/kernel.spec
index 77f42a9..5e043be 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -47,7 +47,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 167
+%global baserelease 168
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -638,6 +638,11 @@ Patch21: linux-2.6-tracehook.patch
 Patch22: linux-2.6-utrace.patch
 Patch23: linux-2.6-utrace-ptrace.patch
 
+Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
+Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
+
 Patch141: linux-2.6-ps3-storage-alias.patch
 Patch143: linux-2.6-g5-therm-shutdown.patch
 Patch144: linux-2.6-vio-modalias.patch
@@ -1282,6 +1287,11 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
 ApplyPatch via-hwmon-temp-sensor.patch
 ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch
 
+ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
+ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+
+
 #
 # Intel IOMMU
 #
@@ -1315,6 +1325,7 @@ ApplyPatch linux-2.6-execshield.patch
 #
 # bugfixes to drivers and filesystems
 #
+ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
 
 # ext4
 
@@ -2207,6 +2218,11 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Tue Sep 14 2010 Kyle McMartin <kyle@redhat.com> 2.6.32.21-168
+- x86_64: plug compat syscalls holes. (CVE-2010-3081, CVE-2010-3301)
+  upgrading is highly recommended.
+- aio: check for multiplication overflow in do_io_submit.
+
 * Mon Sep 06 2010 Kyle McMartin <kyle@redhat.com>
 - Backport two fixes from Eric Paris to resolve #598796 which avoids a
   capability check if the request comes from the kernel.