Security fixes - bugs #74384, #74392, #74464.

author: Tim Yamin <plasmaroo@gentoo.org> 2004-12-20 22:21:09 +0000
committer: Tim Yamin <plasmaroo@gentoo.org> 2004-12-20 22:21:09 +0000
commit: b7768a91584b2caad027549ee0a089625bd6bed5 (patch)
tree: ecc915d7bcebc1bb75fbdb002ae7e72be415bfc5 /sys-kernel/xbox-sources/files
parent: version bump - bug #71350 (Manifest recommit) (diff)
download: gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.tar.gz
gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.tar.bz2
gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.zip
4 files changed, 354 insertions, 0 deletions
diff --git a/sys-kernel/xbox-sources/files/digest-xbox-sources-2.6.8.1-r7 b/sys-kernel/xbox-sources/files/digest-xbox-sources-2.6.8.1-r8
index 088326d79b41..088326d79b41 100644
--- a/sys-kernel/xbox-sources/files/digest-xbox-sources-2.6.8.1-r7
+++ b/sys-kernel/xbox-sources/files/digest-xbox-sources-2.6.8.1-r8
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1016.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1016.patch
new file mode 100644
index 000000000000..aa25ac95ed61
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1016.patch
@@ -0,0 +1,75 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h	2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h	2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ 				  (struct cmsghdr *)(ctl) : \
+ 				  (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++			     (cmsg)->cmsg_len <= (unsigned long) \
++			     ((mhdr)->msg_controllen - \
++			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+ 
+ /*
+  *	This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c	2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c	2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ 		   for too short ancillary data object at all! Oops.
+ 		   OK, let's add it...
+ 		 */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen)
++		if (!CMSG_OK(msg, cmsg))
+ 			goto error;
+ 
+ 		if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c	2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c	2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ 	struct cmsghdr *cmsg;
+ 
+ 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 		if (cmsg->cmsg_level != SOL_IP)
+ 			continue;
+ 		switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c	2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c	2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ 		int addr_type;
+ 		struct net_device *dev = NULL;
+ 
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg)) {
+ 			err = -EINVAL;
+ 			goto exit_f;
+ 		}
+===== net/sctp/socket.c 1.129 vs edited =====
+--- 1.129/net/sctp/socket.c	2004-11-19 08:43:18 +11:00
++++ edited/net/sctp/socket.c	2004-11-27 11:52:11 +11:00
+@@ -4098,12 +4098,8 @@
+ 	for (cmsg = CMSG_FIRSTHDR(msg);
+ 	     cmsg != NULL;
+ 	     cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+-		/* Check for minimum length.  The SCM code has this check.  */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 
+ 		/* Should we parse this header or ignore?  */
+ 		if (cmsg->cmsg_level != IPPROTO_SCTP)
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1056.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1056.patch
new file mode 100644
index 000000000000..f55ca8372e38
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1056.patch
@@ -0,0 +1,202 @@
+diff -ur linux-2.6.7/drivers/char/drm/i810_dma.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.6.7/drivers/char/drm/i810_dma.c	2004-06-16 06:19:12.000000000 +0100
++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i810_dma.c	2004-12-19 22:52:54.885438960 +0000
+@@ -1034,10 +1034,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1059,10 +1056,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1094,10 +1088,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+  	/* GH: Someone's doing nasty things... */
+  	if (!dev->dev_private) {
+@@ -1118,10 +1109,8 @@
+ 
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1156,10 +1145,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	d.granted = 0;
+ 
+@@ -1270,10 +1256,7 @@
+ 		return -EFAULT;
+ 
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_mc called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if (mc.idx >= dma->buf_count || mc.idx < 0)
+ 		return -EINVAL;
+@@ -1321,10 +1304,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_fstatus called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 	return I810_READ(0x30008);
+ }
+ 
+@@ -1335,10 +1315,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_ov0_flip called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	//Tell the overlay to update
+ 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1380,10 +1357,7 @@
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flip_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	if (!dev_priv->page_flipping) 
+ 		i810_do_init_pageflip( dev );
+diff -ur linux-2.6.7/drivers/char/drm/i830_dma.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.6.7/drivers/char/drm/i830_dma.c	2004-06-16 06:18:57.000000000 +0100
++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_dma.c	2004-12-19 22:52:54.887438656 +0000
+@@ -1320,10 +1320,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+    	i830_flush_queue(dev);
+    	return 0;
+@@ -1344,10 +1341,7 @@
+ 	if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1374,10 +1368,7 @@
+    	if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	/* GH: Someone's doing nasty things... */
+ 	if (!dev->dev_private) {
+@@ -1399,10 +1390,7 @@
+    
+ 	DRM_DEBUG("i830_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	i830_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1443,10 +1431,7 @@
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flip_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if (!dev_priv->page_flipping) 
+ 		i830_do_init_pageflip( dev );
+@@ -1485,10 +1470,7 @@
+    	if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 	
+ 	d.granted = 0;
+ 
+diff -ur linux-2.6.7/drivers/char/drm/i830_irq.c linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.6.7/drivers/char/drm/i830_irq.c	2004-06-16 06:19:44.000000000 +0100
++++ linux-2.6.7.drm.plasmaroo/drivers/char/drm/i830_irq.c	2004-12-19 22:52:54.887438656 +0000
+@@ -129,10 +129,7 @@
+ 	drm_i830_irq_emit_t emit;
+ 	int result;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_irq_emit called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if ( !dev_priv ) {
+ 		DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1137.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1137.patch
new file mode 100644
index 000000000000..0a54680f6f4b
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.6.8.1.CAN-2004-1137.patch
@@ -0,0 +1,77 @@
+# ChangeSet
+#   2004/12/14 11:06:25-08:00 chrisw@osdl.org 
+#   [IPV4/IPV6]: IGMP source filter fixes
+#   
+#   When adding or deleting from the source list make sure to find matches
+#   by comparing against the new source address, not the group address.
+#   Also, check each addr in the list rather than just the first one.
+#   And, finally, only delete from list when there's a match rather than
+#   vice-versa.  Drop the effort to keep list sorted, since it's not done
+#   on full-state api and can create an sl_addr entry that the delta api
+#   won't be able to delete. Without these fixes sl_count can be corrupted
+#   which can allow for kernel memory corruption.
+#   
+#   Signed-off-by: Chris Wright <chrisw@osdl.org>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c	2004-12-20 11:32:15 -08:00
++++ b/net/ipv4/igmp.c	2004-12-20 11:32:15 -08:00
+@@ -1778,12 +1778,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++			rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 				sizeof(__u32));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -1825,9 +1825,9 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++		rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 			sizeof(__u32));
+-		if (rv >= 0)
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c	2004-12-20 11:32:15 -08:00
++++ b/net/ipv6/mcast.c	2004-12-20 11:32:15 -08:00
+@@ -391,12 +391,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, group,
++			rv = memcmp(&psl->sl_addr[i], source,
+ 				sizeof(struct in6_addr));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -437,8 +437,8 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+-		if (rv >= 0)
++		rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
author	Tim Yamin <plasmaroo@gentoo.org>	2004-12-20 22:21:09 +0000
committer	Tim Yamin <plasmaroo@gentoo.org>	2004-12-20 22:21:09 +0000
commit	b7768a91584b2caad027549ee0a089625bd6bed5 (patch)
tree	ecc915d7bcebc1bb75fbdb002ae7e72be415bfc5 /sys-kernel/xbox-sources/files
parent	version bump - bug #71350 (Manifest recommit) (diff)
download	gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.tar.gz gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.tar.bz2 gentoo-2-b7768a91584b2caad027549ee0a089625bd6bed5.zip