CVE-2012-1568: execshield: predictable ascii armour base address (rhbz 804957)
This commit is contained in:
Josh Boyer
parent
b7da64597e
commit
364473e5c5
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 4
|
||||
%global baserelease 5
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -770,6 +770,9 @@ Patch21304: mm-thp-fix-pmd_bad-triggering.patch
|
||||
#rhbz 804007
|
||||
Patch21305: mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
|
||||
|
||||
#rhbz 804957 CVE-2012-1568
|
||||
Patch21306: shlib_base_randomize.patch
|
||||
|
||||
Patch21400: unhandled-irqs-switch-to-polling.patch
|
||||
|
||||
Patch22000: weird-root-dentry-name-debug.patch
|
||||
@ -1484,6 +1487,9 @@ ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
|
||||
#rhbz 804007
|
||||
ApplyPatch mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
|
||||
|
||||
#rhbz 804957 CVE-2012-1568
|
||||
ApplyPatch shlib_base_randomize.patch
|
||||
|
||||
ApplyPatch unhandled-irqs-switch-to-polling.patch
|
||||
|
||||
ApplyPatch weird-root-dentry-name-debug.patch
|
||||
@ -2342,6 +2348,7 @@ fi
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Mar 20 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2012-1568: execshield: predictable ascii armour base address (rhbz 804957)
|
||||
- mac80211: fix possible tid_rx->reorder_timer use after free
|
||||
from Stanislaw Gruska (rhbz 804007)
|
||||
|
||||
|
||||
69
shlib_base_randomize.patch
Normal file
69
shlib_base_randomize.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff -uNrp kernel-3.2.fc16.orig/arch/x86/mm/mmap.c kernel-3.2.fc16.new/arch/x86/mm/mmap.c
|
||||
--- kernel-3.2.fc16.orig/arch/x86/mm/mmap.c 2012-03-19 16:47:03.495169091 -0400
|
||||
+++ kernel-3.2.fc16.new/arch/x86/mm/mmap.c 2012-03-19 16:50:03.574168052 -0400
|
||||
@@ -106,6 +106,10 @@ static unsigned long mmap_legacy_base(vo
|
||||
return TASK_UNMAPPED_BASE + mmap_rnd();
|
||||
}
|
||||
|
||||
+#ifdef CONFIG_X86_32
|
||||
+ #define SHLIB_BASE 0x00111000
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* This function, called very early during the creation of a new
|
||||
* process VM image, sets up which VM layout function to use:
|
||||
@@ -126,8 +126,10 @@ void arch_pick_mmap_layout(struct mm_str
|
||||
#ifdef CONFIG_X86_32
|
||||
if (!(current->personality & READ_IMPLIES_EXEC)
|
||||
&& !(__supported_pte_mask & _PAGE_NX)
|
||||
- && mmap_is_ia32())
|
||||
+ && mmap_is_ia32()) {
|
||||
+ mm->shlib_base = SHLIB_BASE + mmap_rnd();
|
||||
mm->get_unmapped_exec_area = arch_get_unmapped_exec_area;
|
||||
+ }
|
||||
#endif
|
||||
mm->unmap_area = arch_unmap_area_topdown;
|
||||
}
|
||||
diff -uNrp kernel-3.2.fc16.orig/include/linux/mm_types.h kernel-3.2.fc16.new/include/linux/mm_types.h
|
||||
--- kernel-3.2.fc16.orig/include/linux/mm_types.h 2012-03-19 16:46:47.382169153 -0400
|
||||
+++ kernel-3.2.fc16.new/include/linux/mm_types.h 2012-03-19 16:50:40.738168219 -0400
|
||||
@@ -300,6 +300,7 @@ struct mm_struct {
|
||||
void (*unmap_area) (struct mm_struct *mm, unsigned long addr);
|
||||
#endif
|
||||
unsigned long mmap_base; /* base of mmap area */
|
||||
+ unsigned long shlib_base; /* base of lib map area (ASCII armour)*/
|
||||
unsigned long task_size; /* size of task vm space */
|
||||
unsigned long cached_hole_size; /* if non-zero, the largest hole below free_area_cache */
|
||||
unsigned long free_area_cache; /* first hole of size cached_hole_size or larger */
|
||||
diff -uNrp kernel-3.2.fc16.orig/mm/mmap.c kernel-3.2.fc16.new/mm/mmap.c
|
||||
--- kernel-3.2.fc16.orig/mm/mmap.c 2012-03-19 16:46:15.791169274 -0400
|
||||
+++ kernel-3.2.fc16.new/mm/mmap.c 2012-03-19 16:51:37.351166875 -0400
|
||||
@@ -1594,8 +1594,6 @@ static bool should_randomize(void)
|
||||
!(current->personality & ADDR_NO_RANDOMIZE);
|
||||
}
|
||||
|
||||
-#define SHLIB_BASE 0x00110000
|
||||
-
|
||||
unsigned long
|
||||
arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0,
|
||||
unsigned long len0, unsigned long pgoff, unsigned long flags)
|
||||
@@ -1612,8 +1610,8 @@ arch_get_unmapped_exec_area(struct file
|
||||
return addr;
|
||||
|
||||
if (!addr)
|
||||
- addr = !should_randomize() ? SHLIB_BASE :
|
||||
- randomize_range(SHLIB_BASE, 0x01000000, len);
|
||||
+ addr = !should_randomize() ? mm->shlib_base :
|
||||
+ randomize_range(mm->shlib_base, 0x01000000, len);
|
||||
|
||||
if (addr) {
|
||||
addr = PAGE_ALIGN(addr);
|
||||
@@ -1623,7 +1621,7 @@ arch_get_unmapped_exec_area(struct file
|
||||
return addr;
|
||||
}
|
||||
|
||||
- addr = SHLIB_BASE;
|
||||
+ addr = mm->shlib_base;
|
||||
for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
|
||||
/* At this point: (!vma || addr < vma->vm_end). */
|
||||
if (TASK_SIZE - len < addr)
|
||||
Loading…
Reference in New Issue
Block a user