linux-stable.git/arch/score, branch linux-2.6.32.y Linux kernel stable tree score: fix off-by-one index into syscall table 2012-01-25T21:53:25+00:00 Dan Rosenberg drosenberg@vsecurity.com 2012-01-20T22:34:27+00:00 18105e188320040b4ebdce3ac4231d719b61aedf commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream. If the provided system call number is equal to __NR_syscalls, the current check will pass and a function pointer just after the system call table may be called, since sys_call_table is an array with total size __NR_syscalls. Whether or not this is a security bug depends on what the compiler puts immediately after the system call table. It's likely that this won't do anything bad because there is an additional NULL check on the syscall entry, but if there happens to be a non-NULL value immediately after the system call table, this may result in local privilege escalation. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: Chen Liqin <liqin.chen@sunplusct.com> Cc: Lennox Wu <lennox.wu@gmail.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream.

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
untangle the do_mremap() mess 2010-01-18T18:19:11+00:00 Al Viro viro@zeniv.linux.org.uk 2010-01-14T19:39:39+00:00 1f51eb3a881359e97dc2c228e55c83fba598e349 This backports the following upstream commits all as one patch: 54f5de709984bae0d31d823ff03de755f9dcac54 ecc1a8993751de4e82eb18640d631dae1f626bd6 1a0ef85f84feb13f07b604fcf5b90ef7c2b5c82f f106af4e90eadd76cfc0b5325f659619e08fb762 097eed103862f9c6a97f2e415e21d1134017b135 935874141df839c706cd6cdc438e85eb69d1525e 0ec62d290912bb4b989be7563851bc364ec73b56 c4caa778157dbbf04116f0ac2111e389b5cd7a29 2ea1d13f64efdf49319e86c87d9ba38c30902782 570dcf2c15463842e384eb597a87c1e39bead99b 564b3bffc619dcbdd160de597b0547a7017ea010 0067bd8a55862ac9dd212bd1c4f6f5bff1ca1301 f8b7256096a20436f6d0926747e3ac3d64c81d24 8c7b49b3ecd48923eb64ff57e07a1cdb74782970 9206de95b1ea68357996ec02be5db0638a0de2c1 2c6a10161d0b5fc047b5bd81b03693b9af99fab5 05d72faa6d13c9d857478a5d35c85db9adada685 bb52d6694002b9d632bb355f64daa045c6293a4e e77414e0aad6a1b063ba5e5750c582c75327ea6a aa65607373a4daf2010e8c3867b6317619f3c1a3 Backport done by Greg Kroah-Hartman. Only minor tweaks were needed. Cc: David S. Miller <davem@davemloft.net> Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk> Cc: Paul Mundt <lethal@linux-sh.org> Cc: Russell King <rmk+kernel@arm.linux.org.uk> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This backports the following upstream commits all as one patch:
	54f5de709984bae0d31d823ff03de755f9dcac54
	ecc1a8993751de4e82eb18640d631dae1f626bd6
	1a0ef85f84feb13f07b604fcf5b90ef7c2b5c82f
	f106af4e90eadd76cfc0b5325f659619e08fb762
	097eed103862f9c6a97f2e415e21d1134017b135
	935874141df839c706cd6cdc438e85eb69d1525e
	0ec62d290912bb4b989be7563851bc364ec73b56
	c4caa778157dbbf04116f0ac2111e389b5cd7a29
	2ea1d13f64efdf49319e86c87d9ba38c30902782
	570dcf2c15463842e384eb597a87c1e39bead99b
	564b3bffc619dcbdd160de597b0547a7017ea010
	0067bd8a55862ac9dd212bd1c4f6f5bff1ca1301
	f8b7256096a20436f6d0926747e3ac3d64c81d24
	8c7b49b3ecd48923eb64ff57e07a1cdb74782970
	9206de95b1ea68357996ec02be5db0638a0de2c1
	2c6a10161d0b5fc047b5bd81b03693b9af99fab5
	05d72faa6d13c9d857478a5d35c85db9adada685
	bb52d6694002b9d632bb355f64daa045c6293a4e
	e77414e0aad6a1b063ba5e5750c582c75327ea6a
	aa65607373a4daf2010e8c3867b6317619f3c1a3

Backport done by Greg Kroah-Hartman.  Only minor tweaks were needed.

Cc: David S. Miller <davem@davemloft.net>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-next 2009-09-23T22:37:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-09-23T22:37:02+00:00 c37efa932598de5e30330a1414e34d9e082e0d9e * git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-next: (30 commits) Use macros for .data.page_aligned section. Use macros for .bss.page_aligned section. Use new __init_task_data macro in arch init_task.c files. kbuild: Don't define ALIGN and ENTRY when preprocessing linker scripts. arm, cris, mips, sparc, powerpc, um, xtensa: fix build with bash 4.0 kbuild: add static to prototypes kbuild: fail build if recordmcount.pl fails kbuild: set -fconserve-stack option for gcc 4.5 kbuild: echo the record_mcount command gconfig: disable "typeahead find" search in treeviews kbuild: fix cc1 options check to ensure we do not use -fPIC when compiling checkincludes.pl: add option to remove duplicates in place markup_oops: use modinfo to avoid confusion with underscored module names checkincludes.pl: provide usage helper checkincludes.pl: close file as soon as we're done with it ctags: usability fix kernel hacking: move STRIP_ASM_SYMS from General gitignore usr/initramfs_data.cpio.bz2 and usr/initramfs_data.cpio.lzma kbuild: Check if linker supports the -X option kbuild: introduce ld-option ... Fix trivial conflict in scripts/basic/fixdep.c 
* git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-next: (30 commits)
  Use macros for .data.page_aligned section.
  Use macros for .bss.page_aligned section.
  Use new __init_task_data macro in arch init_task.c files.
  kbuild: Don't define ALIGN and ENTRY when preprocessing linker scripts.
  arm, cris, mips, sparc, powerpc, um, xtensa: fix build with bash 4.0
  kbuild: add static to prototypes
  kbuild: fail build if recordmcount.pl fails
  kbuild: set -fconserve-stack option for gcc 4.5
  kbuild: echo the record_mcount command
  gconfig: disable "typeahead find" search in treeviews
  kbuild: fix cc1 options check to ensure we do not use -fPIC when compiling
  checkincludes.pl: add option to remove duplicates in place
  markup_oops: use modinfo to avoid confusion with underscored module names
  checkincludes.pl: provide usage helper
  checkincludes.pl: close file as soon as we're done with it
  ctags: usability fix
  kernel hacking: move STRIP_ASM_SYMS from General
  gitignore usr/initramfs_data.cpio.bz2 and usr/initramfs_data.cpio.lzma
  kbuild: Check if linker supports the -X option
  kbuild: introduce ld-option
  ...

Fix trivial conflict in scripts/basic/fixdep.c
score: Cleanup linker script using new macros. 2009-09-23T05:41:15+00:00 Tim Abbott tabbott@ksplice.com 2009-09-23T03:38:42+00:00 eccfbf98f4d77bb5849dfb96f829f14d2b292551 Signed-off-by: Tim Abbott <tabbott@ksplice.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> Signed-off-by: Chen Liqin <liqin.chen@sunplusct.com> 
Signed-off-by: Tim Abbott <tabbott@ksplice.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Chen Liqin <liqin.chen@sunplusct.com>
score: Make THREAD_SIZE available to assembly files. 2009-09-23T05:37:42+00:00 Tim Abbott tabbott@ksplice.com 2009-09-20T17:32:58+00:00 0dab1006896ef43f55b82b83ec2316f0179f681b Signed-off-by: Tim Abbott <tabbott@ksplice.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 
Signed-off-by: Tim Abbott <tabbott@ksplice.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
score: Make PAGE_SIZE available to assembly. 2009-09-23T05:35:51+00:00 Tim Abbott tabbott@ksplice.com 2009-09-20T17:32:57+00:00 aa296ddf32da207b430f61b77a8e81c0663f07cf Signed-off-by: Tim Abbott <tabbott@ksplice.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 
Signed-off-by: Tim Abbott <tabbott@ksplice.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Use new __init_task_data macro in arch init_task.c files. 2009-09-21T04:27:08+00:00 Joe Perches joe@perches.com 2009-09-20T22:14:13+00:00 d200c922bc2b1ac88b8d33b6cfff2ed837af186a Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Tim Abbott <tabbott@ksplice.com> Acked-by: Paul Mundt <lethal@linux-sh.org> Signed-off-by: Sam Ravnborg <sam@ravnborg.org> 
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Tim Abbott <tabbott@ksplice.com>
Acked-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
score: add TIF_NOTIFY_RESUME define in asm/thread_info.h 2009-09-17T04:05:56+00:00 Chen Liqin liqin.chen@sunplusct.com 2009-09-17T04:05:56+00:00 9973affe9bbcde64041890d8793eb2e74143c298 






score: make init_thread_union align to THREAD_SIZE
2009-08-30T04:36:41+00:00

Chen Liqin
liqin.chen@sunplusct.com

2009-08-30T04:36:41+00:00

125ec616f4f06565914123614e7287e9a490f2d9












score: update files according to review comments.
2009-08-30T04:34:08+00:00

Chen Liqin
liqin.chen@sunplusct.com

2009-08-30T04:34:08+00:00

798983b2d5f9985655ca22a7a8c504b821e3f4e0