FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 11-22-2007, 01:38 AM
Kees Cook
 
Default security builds & testing needed

Hi! So, following the process Ben outlined for the security team, I've
applied a whole mess of cherry-picks that I'd like to have you guys take
a look at, build, test, etc:

http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
[UBUNTU:drivers/net] drop invalid spin_unlock calls in skge (CVE-2006-7229)
minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
[PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
USB: fix DoS in pwc USB video driver (CVE-2007-5093)
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

http://kernel.ubuntu.com/git?p=kees/ubuntu-edgy-security.git;a=summary
minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
[PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
USB: fix DoS in pwc USB video driver (CVE-2007-5093)
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

http://kernel.ubuntu.com/git?p=kees/ubuntu-feisty-security.git;a=summary
minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
[IPV6]: Do no rely on skb->dst before it is assigned. (CVE-2007-4567)
[JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
USB: fix DoS in pwc USB video driver (CVE-2007-5093)
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
[JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
[TCP]: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

I didn't do any changelog bits yet, in case I did something ugly in my
commits.

I don't know how (or don't have hardware) to test hugetlb and pwc --
those patches aren't entirely obvious to me either, and both required
some back-porting.

I'd like to try to get these published early next week.

Thanks,

-Kees

--
Kees Cook

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-23-2007, 02:44 PM
Phillip Lougher
 
Default security builds & testing needed

Kees Cook wrote:
> Hi! So, following the process Ben outlined for the security team, I've
> applied a whole mess of cherry-picks that I'd like to have you guys take
> a look at, build, test, etc:
>

Yeah, a _lot_ of cherry picks. I've looked at the patches, done some
build testing, and here's the results. I still have to do some more
build testing for patches not (completely) triggered by the default
Ubuntu kernel options.

> http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
> [UBUNTU:drivers/net] drop invalid spin_unlock calls in skge (CVE-2006-7229)
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

Patches look OK except for one patch, and the kernel builds
successfully. Hugetlb patch isn't build tested with the default kernel
options for i386.

> USB: fix DoS in pwc USB video driver (CVE-2007-5093)

Has a number of mistakes:

Original pdev->vopen = 0; lines changed to pdev->open --;
Probably not a show stopper but should be changed.

Trace() calls changed to PWC_DEBUG_OPEN() and PWC_DEBUG_PROBE()

Module builds ok, but these are left as undefined functions (which is
one of the major problems with build testing modules as it doesn't trap
undefined symbols).


>
> http://kernel.ubuntu.com/git?p=kees/ubuntu-edgy-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
>

Everything looks OK. Kernel builds. As for Dapper, hugetlb patch not
build tested with default kernel options for i386.

> http://kernel.ubuntu.com/git?p=kees/ubuntu-feisty-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [IPV6]: Do no rely on skb->dst before it is assigned. (CVE-2007-4567)
> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

Everything looks OK. Kernel builds. JFFS2 patch not completely build
tested with default kernel options (acl.c isn't built).

>
> http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> [TCP]: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

Everything looks OK. Kernel builds. Again JFFS2 patch not completely
build tested with default kernel options.

>
> I didn't do any changelog bits yet, in case I did something ugly in my
> commits.
>
> I don't know how (or don't have hardware) to test hugetlb and pwc --
> those patches aren't entirely obvious to me either, and both required
> some back-porting.

Hugetlb should be testable on i386 hardware (supports a huge TLB of 4M).
The overflow bug is triggered due to the difference between
HPAGE_SHIFT and PAGE_SHIFT which in this case is a massive 10 bits, and
any vm addr over 22 bits (4M) should trigger the overflow bug.

I'll see if I can write a test program, and test the other so far
unbuilt files.

Phillip

>
> I'd like to try to get these published early next week.
>
> Thanks,
>
> -Kees
>


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-26-2007, 10:29 AM
Phillip Lougher
 
Default security builds & testing needed

Phillip Lougher wrote:
>
> Yeah, a _lot_ of cherry picks. I've looked at the patches, done some
> build testing, and here's the results. I still have to do some more
> build testing for patches not (completely) triggered by the default
> Ubuntu kernel options.
>
>> http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
>> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)

Hugetlb patch builds OK.

>> http://kernel.ubuntu.com/git?p=kees/ubuntu-edgy-security.git;a=summary
>> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)

Hugetlb patch builds OK.

>
>> http://kernel.ubuntu.com/git?p=kees/ubuntu-feisty-security.git;a=summary
>> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)

JFFS2 patch builds OK.

>> http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
>> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)

JFFS2 patch builds OK.

Thanks

Phillip


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-27-2007, 02:26 AM
"Phillip lougher"
 
Default security builds & testing needed

Kees,

This is the fix for the "USB: fix DoS in pwc USB video driver
(CVE-2007-5093)" patch in Dapper.

It can be added to git using git-am.

Phillip
 
Old 11-27-2007, 04:27 PM
Kees Cook
 
Default security builds & testing needed

Hi Phillip,

On Tue, Nov 27, 2007 at 03:26:44AM +0000, Phillip lougher wrote:
> This is the fix for the "USB: fix DoS in pwc USB video driver
> (CVE-2007-5093)" patch in Dapper.
>
> It can be added to git using git-am.

Thanks! I've added it and pushed the fixed tree. I still need to grab
the NFS fixes for Feisty/Gutsy, and then double-check some other
regression fix from Fabio.

--
Kees Cook

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-27-2007, 05:34 PM
Kees Cook
 
Default security builds & testing needed

Hi,

On Fri, Nov 23, 2007 at 03:44:49PM +0000, Phillip Lougher wrote:
> Kees Cook wrote:
>> Hi! So, following the process Ben outlined for the security team, I've
>> applied a whole mess of cherry-picks that I'd like to have you guys take
>> a look at, build, test, etc:
>
> Yeah, a _lot_ of cherry picks. I've looked at the patches, done some build
> testing, and here's the results. I still have to do some more build
> testing for patches not (completely) triggered by the default Ubuntu kernel
> options.
>
>> http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
>> [UBUNTU:drivers/net] drop invalid spin_unlock calls in skge
>> (CVE-2006-7229)
>> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
>> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
>> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
>> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
>> wait_task_stopped: Check p->exit_state instead of TASK_TRACED
>> (CVE-2007-5500)
>
> Patches look OK except for one patch, and the kernel builds successfully.
> Hugetlb patch isn't build tested with the default kernel options for i386.

Are any of the builds using hugetlb? (I'm not really sure what it
is...)

> > USB: fix DoS in pwc USB video driver (CVE-2007-5093)
>
> Has a number of mistakes:
>
> Original pdev->vopen = 0; lines changed to pdev->open --;
> Probably not a show stopper but should be changed.
>
> Trace() calls changed to PWC_DEBUG_OPEN() and PWC_DEBUG_PROBE()
>
> Module builds ok, but these are left as undefined functions (which is one
> of the major problems with build testing modules as it doesn't trap
> undefined symbols).

Got that fix (in other email) and applied it. Thanks!

>> http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
>> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
>> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
>> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
>> [TCP]: Make sure write_queue_from does not begin with NULL ptr
>> (CVE-2007-5501)
>> wait_task_stopped: Check p->exit_state instead of TASK_TRACED
>> (CVE-2007-5500)
>
> Everything looks OK. Kernel builds. Again JFFS2 patch not completely
> build tested with default kernel options.

Do we ship JFFS2 with acl support anywhere?

>> I didn't do any changelog bits yet, in case I did something ugly in my
>> commits.
>> I don't know how (or don't have hardware) to test hugetlb and pwc --
>> those patches aren't entirely obvious to me either, and both required
>> some back-porting.
>
> Hugetlb should be testable on i386 hardware (supports a huge TLB of 4M).
> The overflow bug is triggered due to the difference between HPAGE_SHIFT and
> PAGE_SHIFT which in this case is a massive 10 bits, and any vm addr over 22
> bits (4M) should trigger the overflow bug.
>
> I'll see if I can write a test program, and test the other so far unbuilt
> files.

So this should have been a major visible bug if we ever ran with it?
Does it make sense to skip the JFFS2 and hugetlb patches if none of our
kernels build with the affected options?

Thanks,

-Kees

--
Kees Cook
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 06:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org