rpms/kernel/F-8 linux-2.6-drm-i915-fix-ioctl-security.patch, NONE, 1.1 linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch, NONE, 1.1 kernel.spec, 1.558, 1.559
Chuck Ebbert
cebbert at fedoraproject.org
Fri Oct 17 19:11:46 UTC 2008
- Previous message: rpms/strigi/devel import.log, NONE, 1.1 .cvsignore, 1.9, 1.10 sources, 1.9, 1.10 strigi.spec, 1.19, 1.20 strigi-multilib-fix.patch, 1.1, NONE
- Next message: rpms/strigi/devel strigi.spec,1.20,1.21
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27987
Modified Files:
kernel.spec
Added Files:
linux-2.6-drm-i915-fix-ioctl-security.patch
linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch
Log Message:
Two security patches from F9:
Fix IOCTL permission checking in sbni WAN adapter (CVE-2008-3525).
DRM: fix ioctl security issue (CVE-2008-3831).
linux-2.6-drm-i915-fix-ioctl-security.patch:
--- NEW FILE linux-2.6-drm-i915-fix-ioctl-security.patch ---
Index: linux-2.6.26.noarch/drivers/char/drm/i915_dma.c
===================================================================
--- linux-2.6.26.noarch.orig/drivers/char/drm/i915_dma.c
+++ linux-2.6.26.noarch/drivers/char/drm/i915_dma.c
@@ -1577,7 +1577,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ),
DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
};
int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls);
linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch:
--- NEW FILE linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch ---
From: Eugene Teo <eugeneteo at kernel.sg>
Date: Wed, 27 Aug 2008 11:50:30 +0000 (-0700)
Subject: wan: Missing capability checks in sbni_ioctl()
X-Git-Tag: v2.6.27-rc5~8^2~2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f2455eb176ac87081bbfc9a44b21c7cd2bc1967e
wan: Missing capability checks in sbni_ioctl()
There are missing capability checks in the following code:
1300 static int
1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
1302 {
[...]
1319 case SIOCDEVRESINSTATS :
1320 if( current->euid != 0 ) /* root only */
1321 return -EPERM;
[...]
1336 case SIOCDEVSHWSTATE :
1337 if( current->euid != 0 ) /* root only */
1338 return -EPERM;
[...]
1357 case SIOCDEVENSLAVE :
1358 if( current->euid != 0 ) /* root only */
1359 return -EPERM;
[...]
1372 case SIOCDEVEMANSIPATE :
1373 if( current->euid != 0 ) /* root only */
1374 return -EPERM;
Here's my proposed fix:
Missing capability checks.
CVE-2008-3525
Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
index e59255a..6596cd0 100644
--- a/drivers/net/wan/sbni.c
+++ b/drivers/net/wan/sbni.c
@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
break;
case SIOCDEVRESINSTATS :
- if( current->euid != 0 ) /* root only */
+ if (!capable(CAP_NET_ADMIN))
return -EPERM;
memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
break;
@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
break;
case SIOCDEVSHWSTATE :
- if( current->euid != 0 ) /* root only */
+ if (!capable(CAP_NET_ADMIN))
return -EPERM;
spin_lock( &nl->lock );
@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
#ifdef CONFIG_SBNI_MULTILINE
case SIOCDEVENSLAVE :
- if( current->euid != 0 ) /* root only */
+ if (!capable(CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))
@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
return enslave( dev, slave_dev );
case SIOCDEVEMANSIPATE :
- if( current->euid != 0 ) /* root only */
+ if (!capable(CAP_NET_ADMIN))
return -EPERM;
return emancipate( dev );
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.558
retrieving revision 1.559
diff -u -r1.558 -r1.559
--- kernel.spec 16 Oct 2008 17:57:20 -0000 1.558
+++ kernel.spec 17 Oct 2008 19:11:15 -0000 1.559
@@ -703,6 +703,7 @@
# nouveau + drm fixes
Patch1802: nouveau-drm.patch
+Patch1803: linux-2.6-drm-i915-fix-ioctl-security.patch
# Updated firewire stack from linux1394 git
Patch1910: linux-2.6-firewire-git-update.patch
@@ -712,6 +713,9 @@
Patch2900: linux-2.6-rtc-cmos-look-for-pnp-rtc-first.patch
Patch2910: linux-2.6-x86-register-platform-rtc-if-pnp-doesnt-describe-it.patch
+# fix IOCTL security in sbni driver
+Patch3100: linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root-%{_target_cpu}
@@ -1032,6 +1036,7 @@
# Nouveau DRM + drm fixes
ApplyPatch nouveau-drm.patch
+ApplyPatch linux-2.6-drm-i915-fix-ioctl-security.patch
# enable sysrq-c on all kernels, not only kexec
ApplyPatch linux-2.6-sysrq-c.patch
@@ -1296,6 +1301,9 @@
ApplyPatch linux-2.6-rtc-cmos-look-for-pnp-rtc-first.patch
ApplyPatch linux-2.6-x86-register-platform-rtc-if-pnp-doesnt-describe-it.patch
+# CVE-2008-3525
+ApplyPatch linux-2.6-wan-missing-capability-checks-in-sbni_ioctl.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1896,6 +1904,11 @@
%changelog
+* Fri Oct 17 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-49
+- Two security patches from F9:
+ Fix IOCTL permission checking in sbni WAN adapter (CVE-2008-3525).
+ DRM: fix ioctl security issue (CVE-2008-3831).
+
* Thu Oct 16 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-48
- Fix RTC on systems that don't describe it in PnP (F9#451188)
- Previous message: rpms/strigi/devel import.log, NONE, 1.1 .cvsignore, 1.9, 1.10 sources, 1.9, 1.10 strigi.spec, 1.19, 1.20 strigi-multilib-fix.patch, 1.1, NONE
- Next message: rpms/strigi/devel strigi.spec,1.20,1.21
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list