security builds & testing needed
Phillip Lougher
phillip.lougher at canonical.com
Fri Nov 23 15:44:49 UTC 2007
Kees Cook wrote:
> Hi! So, following the process Ben outlined for the security team, I've
> applied a whole mess of cherry-picks that I'd like to have you guys take
> a look at, build, test, etc:
>
Yeah, a _lot_ of cherry picks. I've looked at the patches, done some
build testing, and here's the results. I still have to do some more
build testing for patches not (completely) triggered by the default
Ubuntu kernel options.
> http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
> [UBUNTU:drivers/net] drop invalid spin_unlock calls in skge (CVE-2006-7229)
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
Patches look OK except for one patch, and the kernel builds
successfully. Hugetlb patch isn't build tested with the default kernel
options for i386.
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
Has a number of mistakes:
Original pdev->vopen = 0; lines changed to pdev->open --;
Probably not a show stopper but should be changed.
Trace() calls changed to PWC_DEBUG_OPEN() and PWC_DEBUG_PROBE()
Module builds ok, but these are left as undefined functions (which is
one of the major problems with build testing modules as it doesn't trap
undefined symbols).
>
> http://kernel.ubuntu.com/git?p=kees/ubuntu-edgy-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
>
Everything looks OK. Kernel builds. As for Dapper, hugetlb patch not
build tested with default kernel options for i386.
> http://kernel.ubuntu.com/git?p=kees/ubuntu-feisty-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [IPV6]: Do no rely on skb->dst before it is assigned. (CVE-2007-4567)
> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
Everything looks OK. Kernel builds. JFFS2 patch not completely build
tested with default kernel options (acl.c isn't built).
>
> http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
> [TCP]: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
> wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
Everything looks OK. Kernel builds. Again JFFS2 patch not completely
build tested with default kernel options.
>
> I didn't do any changelog bits yet, in case I did something ugly in my
> commits.
>
> I don't know how (or don't have hardware) to test hugetlb and pwc --
> those patches aren't entirely obvious to me either, and both required
> some back-porting.
Hugetlb should be testable on i386 hardware (supports a huge TLB of 4M).
The overflow bug is triggered due to the difference between
HPAGE_SHIFT and PAGE_SHIFT which in this case is a massive 10 bits, and
any vm addr over 22 bits (4M) should trigger the overflow bug.
I'll see if I can write a test program, and test the other so far
unbuilt files.
Phillip
>
> I'd like to try to get these published early next week.
>
> Thanks,
>
> -Kees
>
More information about the kernel-team
mailing list