Attachment #72753 for bug #156580

View | Details | Raw Unified | Return to bug 156580
Collapse All | Expand All




by Relay1.suse.de (Relay1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP
id 17679-14 for <ak@suse.de>; Thu,  9 Mar 2006 23:21:04 +0100 (CET)
Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Asit K Mallick <asit.k.mallick@intel.com>,
Dave Jones <davej@redhat.com>,
Jason Baron <jbaron@redhat.com>,
Ernie Petrides <petrides@redhat.com>,
security@kernel.org,
vendor-sec@lst.de
            <200603090058.k290wkuu017903@pasta.boston.redhat.com>
MY_LINUX
 1) execve() system call
 2) signal catching
 3) returning from a signal handler
 4) ptrace() system call using PTRACE_POKEUSR or PTRACE_SETREGS
++ linux-2.4.21/fs/binfmt_elf.c

	NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
};

#define BAD_ADDR(x)	((unsigned long)(x) >= TASK_SIZE)

static int set_brk(unsigned long start, unsigned long end)
{

	    	elf_type |= MAP_FIXED;

	    map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot,
				elf_type, total_size);
	    total_size = 0UL;
	    if (BAD_ADDR(map_addr)) {
	        error = map_addr;

	     * <= p_memsz so it is only necessary to check p_memsz.
	     */
	    k = load_addr + eppnt->p_vaddr;
	    if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
		eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
	        error = -ENOMEM;
		goto out_close;

		 * allowed task size. Note that p_filesz must always be
		 * <= p_memsz so it is only necessary to check p_memsz.
		 */
		if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
		    elf_ppnt->p_memsz > TASK_SIZE ||
		    TASK_SIZE - elf_ppnt->p_memsz < k) {
			/* set_brk can never work.  Avoid overflows.  */

						    &interp_load_addr);

		if (BAD_ADDR(elf_entry)) {
			force_sig(SIGSEGV, current);
			send_sig(SIGSEGV, current, 0);
			retval = IS_ERR((void *)elf_entry) ?
					(int)elf_entry : -EINVAL;
			goto out_free_dentry;
		}
		reloc_func_desc = interp_load_addr;

		allow_write_access(interpreter);
		fput(interpreter);
		kfree(elf_interpreter);
	} else {
		if (BAD_ADDR(elf_entry)) {
			force_sig(SIGSEGV, current);
			retval = -EINVAL;
			goto out_free_dentry;
		}
	}

	kfree(elf_phdata);
++ linux-2.4.21/arch/x86_64/kernel/signal.c



#define COPY(x)		err |= __get_user(regs->x, &sc->x)
#define COPY_CANON(x)   \
	COPY(x); \
	if ((regs->x >> 48)  != 0 && (regs->x >> 48) != 0xffff) \
				regs->x = 0; 

	/* fs and gs are ignored because we cannot handle the 64bit base easily */ 

	COPY(rdi); COPY(rsi); COPY(rbp); COPY(rsp);
	if (unlikely(regs->rsp >= TASK_SIZE))
		regs->rsp = 0UL;
	COPY(rbx); COPY(rdx); COPY(rcx); COPY(rip);
	if (unlikely(regs->rip >= TASK_SIZE))
		regs->rip = 0UL;
	COPY(r8);
	COPY(r9);
	COPY(r10);

	regs->rsi = (unsigned long)&frame->info; 
	regs->rdx = (unsigned long)&frame->uc; 
	regs->rsp = (unsigned long) frame;
	if (unlikely((unsigned long)ka->sa.sa_handler >= TASK_SIZE))
		regs->rip = 0UL;
	else
		regs->rip = (unsigned long)ka->sa.sa_handler;
	regs->cs = __USER_CS;
	regs->ss = __USER_DS; 


Return to bug 156580

Line Link Here

(-)file_not_specified_in_diff (-16 / +24 lines)
	by Relay1.suse.de (Relay1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP		by Relay1.suse.de (Relay1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP
1	id 17679-14 for <ak@suse.de>; Thu, 9 Mar 2006 23:21:04 +0100 (CET)	1	id 17679-14 for <ak@suse.de>; Thu, 9 Mar 2006 23:21:04 +0100 (CET)
2	Marcelo Tosatti <marcelo.tosatti@cyclades.com>	2	Marcelo Tosatti <marcelo.tosatti@cyclades.com>
3	Asit K Mallick <asit.k.mallick@intel.com>,	3	Asit K Mallick <asit.k.mallick@intel.com>,
4	Dave Jones <davej@redhat.com>,	4	Dave Jones <davej@redhat.com>,
5	Jason Baron <jbaron@redhat.com>,	5	Jason Baron <jbaron@redhat.com>,
6	Ernie Petrides <petrides@redhat.com>,	6	Ernie Petrides <petrides@redhat.com>,
7	security@kernel.org,	7	security@kernel.org,
8	vendor-sec@lst.de	8	vendor-sec@lst.de
9	<200603090058.k290wkuu017903@pasta.boston.redhat.com>	9	<200603090058.k290wkuu017903@pasta.boston.redhat.com>
10	MY_LINUX	10	MY_LINUX
11	1) execve() system call	11	1) execve() system call
12	2) signal catching	12	2) signal catching
13	3) returning from a signal handler	13	3) returning from a signal handler
14	4) ptrace() system call using PTRACE_POKEUSR or PTRACE_SETREGS	14	4) ptrace() system call using PTRACE_POKEUSR or PTRACE_SETREGS
15	-- linux-2.4.21/fs/binfmt_elf.c.orig	15	++ linux-2.4.21/fs/binfmt_elf.c
Lines 78-84 static struct linux_binfmt elf_format = Link Here
78	NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE	78	NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
79	};	79	};
80		80
81	#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)	81	#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
82		82
83	static int set_brk(unsigned long start, unsigned long end)	83	static int set_brk(unsigned long start, unsigned long end)
84	{	84	{
Lines 358-364 static unsigned long load_elf_interp(str Link Here
358	elf_type \|= MAP_FIXED;	358	elf_type \|= MAP_FIXED;
359		359
360	map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot,	360	map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot,
361	elf_type, total_size);	361	elf_type, total_size);
362	total_size = 0UL;	362	total_size = 0UL;
363	if (BAD_ADDR(map_addr)) {	363	if (BAD_ADDR(map_addr)) {
364	error = map_addr;	364	error = map_addr;
Lines 376-382 elf_type, total_size); Link Here
376	* <= p_memsz so it is only necessary to check p_memsz.	376	* <= p_memsz so it is only necessary to check p_memsz.
377	*/	377	*/
378	k = load_addr + eppnt->p_vaddr;	378	k = load_addr + eppnt->p_vaddr;
379	if (k > TASK_SIZE \|\| eppnt->p_filesz > eppnt->p_memsz \|\|	379	if (BAD_ADDR(k) \|\| eppnt->p_filesz > eppnt->p_memsz \|\|
380	eppnt->p_memsz > TASK_SIZE \|\| TASK_SIZE - eppnt->p_memsz < k) {	380	eppnt->p_memsz > TASK_SIZE \|\| TASK_SIZE - eppnt->p_memsz < k) {
381	error = -ENOMEM;	381	error = -ENOMEM;
382	goto out_close;	382	goto out_close;
Lines 825-831 static int load_elf_binary(struct linux_ Link Here
825	* allowed task size. Note that p_filesz must always be	825	* allowed task size. Note that p_filesz must always be
826	* <= p_memsz so it is only necessary to check p_memsz.	826	* <= p_memsz so it is only necessary to check p_memsz.
827	*/	827	*/
828	if (k > TASK_SIZE \|\| elf_ppnt->p_filesz > elf_ppnt->p_memsz \|\|	828	if (BAD_ADDR(k) \|\| elf_ppnt->p_filesz > elf_ppnt->p_memsz \|\|
829	elf_ppnt->p_memsz > TASK_SIZE \|\|	829	elf_ppnt->p_memsz > TASK_SIZE \|\|
830	TASK_SIZE - elf_ppnt->p_memsz < k) {	830	TASK_SIZE - elf_ppnt->p_memsz < k) {
831	/* set_brk can never work. Avoid overflows. */	831	/* set_brk can never work. Avoid overflows. */
Lines 876-885 static int load_elf_binary(struct linux_ Link Here
876	&interp_load_addr);	876	&interp_load_addr);
877		877
878	if (BAD_ADDR(elf_entry)) {	878	if (BAD_ADDR(elf_entry)) {
879	printk(KERN_ERR "Unable to load interpreter\n");	879	force_sig(SIGSEGV, current);
880	send_sig(SIGSEGV, current, 0);
881	retval = IS_ERR((void *)elf_entry) ?	880	retval = IS_ERR((void *)elf_entry) ?
882	(int)elf_entry : -ENOEXEC;	881	(int)elf_entry : -EINVAL;
883	goto out_free_dentry;	882	goto out_free_dentry;
884	}	883	}
885	reloc_func_desc = interp_load_addr;	884	reloc_func_desc = interp_load_addr;
Lines 887-892 static int load_elf_binary(struct linux_ Link Here
887	allow_write_access(interpreter);	886	allow_write_access(interpreter);
888	fput(interpreter);	887	fput(interpreter);
889	kfree(elf_interpreter);	888	kfree(elf_interpreter);
		889	} else {
		890	if (BAD_ADDR(elf_entry)) {
		891	force_sig(SIGSEGV, current);
		892	retval = -EINVAL;
		893	goto out_free_dentry;
		894	}
890	}	895	}
891		896
892	kfree(elf_phdata);	897	kfree(elf_phdata);
893	-- linux-2.4.21/arch/x86_64/kernel/signal.c.orig	898	++ linux-2.4.21/arch/x86_64/kernel/signal.c
Lines 137-151 restore_sigcontext(struct pt_regs *regs, Link Here
137		137
138		138
139	#define COPY(x) err \|= __get_user(regs->x, &sc->x)	139	#define COPY(x) err \|= __get_user(regs->x, &sc->x)
140	#define COPY_CANON(x) \
141	COPY(x); \
142	if ((regs->x >> 48) != 0 && (regs->x >> 48) != 0xffff) \
143	regs->x = 0;
144		140
145	/* fs and gs are ignored because we cannot handle the 64bit base easily */	141	/* fs and gs are ignored because we cannot handle the 64bit base easily */
146		142
147	COPY(rdi); COPY(rsi); COPY(rbp); COPY_CANON(rsp); COPY(rbx);	143	COPY(rdi); COPY(rsi); COPY(rbp); COPY(rsp);
148	COPY(rdx); COPY(rcx); COPY_CANON(rip);	144	if (unlikely(regs->rsp >= TASK_SIZE))
		145	regs->rsp = 0UL;
		146	COPY(rbx); COPY(rdx); COPY(rcx); COPY(rip);
		147	if (unlikely(regs->rip >= TASK_SIZE))
		148	regs->rip = 0UL;
149	COPY(r8);	149	COPY(r8);
150	COPY(r9);	150	COPY(r9);
151	COPY(r10);	151	COPY(r10);
Lines 378-384 static void setup_rt_frame(int sig, stru Link Here
378	regs->rsi = (unsigned long)&frame->info;	378	regs->rsi = (unsigned long)&frame->info;
379	regs->rdx = (unsigned long)&frame->uc;	379	regs->rdx = (unsigned long)&frame->uc;
380	regs->rsp = (unsigned long) frame;	380	regs->rsp = (unsigned long) frame;
381	regs->rip = (unsigned long) ka->sa.sa_handler;	381	if (unlikely((unsigned long)ka->sa.sa_handler >= TASK_SIZE))
		382	regs->rip = 0UL;
		383	else
		384	regs->rip = (unsigned long)ka->sa.sa_handler;
382	regs->cs = __USER_CS;	385	regs->cs = __USER_CS;
383	regs->ss = __USER_DS;	386	regs->ss = __USER_DS;
384		387