security builds & testing needed
Kees Cook
kees at ubuntu.com
Tue Nov 27 18:34:30 UTC 2007
Hi,
On Fri, Nov 23, 2007 at 03:44:49PM +0000, Phillip Lougher wrote:
> Kees Cook wrote:
>> Hi! So, following the process Ben outlined for the security team, I've
>> applied a whole mess of cherry-picks that I'd like to have you guys take
>> a look at, build, test, etc:
>
> Yeah, a _lot_ of cherry picks. I've looked at the patches, done some build
> testing, and here's the results. I still have to do some more build
> testing for patches not (completely) triggered by the default Ubuntu kernel
> options.
>
>> http://kernel.ubuntu.com/git?p=kees/ubuntu-dapper-security.git;a=summary
>> [UBUNTU:drivers/net] drop invalid spin_unlock calls in skge
>> (CVE-2006-7229)
>> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
>> [PATCH] hugetlb: fix prio_tree unit (CVE-2007-4133)
>> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
>> USB: fix DoS in pwc USB video driver (CVE-2007-5093)
>> wait_task_stopped: Check p->exit_state instead of TASK_TRACED
>> (CVE-2007-5500)
>
> Patches look OK except for one patch, and the kernel builds successfully.
> Hugetlb patch isn't build tested with the default kernel options for i386.
Are any of the builds using hugetlb? (I'm not really sure what it
is...)
> > USB: fix DoS in pwc USB video driver (CVE-2007-5093)
>
> Has a number of mistakes:
>
> Original pdev->vopen = 0; lines changed to pdev->open --;
> Probably not a show stopper but should be changed.
>
> Trace() calls changed to PWC_DEBUG_OPEN() and PWC_DEBUG_PROBE()
>
> Module builds ok, but these are left as undefined functions (which is one
> of the major problems with build testing modules as it doesn't trap
> undefined symbols).
Got that fix (in other email) and applied it. Thanks!
>> http://kernel.ubuntu.com/git?p=kees/ubuntu-gutsy-security.git;a=summary
>> minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
>> [JFFS2] Fix ACL vs. mode handling. (CVE-2007-4849)
>> [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
>> [TCP]: Make sure write_queue_from does not begin with NULL ptr
>> (CVE-2007-5501)
>> wait_task_stopped: Check p->exit_state instead of TASK_TRACED
>> (CVE-2007-5500)
>
> Everything looks OK. Kernel builds. Again JFFS2 patch not completely
> build tested with default kernel options.
Do we ship JFFS2 with acl support anywhere?
>> I didn't do any changelog bits yet, in case I did something ugly in my
>> commits.
>> I don't know how (or don't have hardware) to test hugetlb and pwc --
>> those patches aren't entirely obvious to me either, and both required
>> some back-porting.
>
> Hugetlb should be testable on i386 hardware (supports a huge TLB of 4M).
> The overflow bug is triggered due to the difference between HPAGE_SHIFT and
> PAGE_SHIFT which in this case is a massive 10 bits, and any vm addr over 22
> bits (4M) should trigger the overflow bug.
>
> I'll see if I can write a test program, and test the other so far unbuilt
> files.
So this should have been a major visible bug if we ever ran with it?
Does it make sense to skip the JFFS2 and hugetlb patches if none of our
kernels build with the affected options?
Thanks,
-Kees
--
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20071127/06f91627/attachment.sig>
More information about the kernel-team
mailing list