fixes for 2 binfmt vulnerabilities

5 files changed, 124 insertions, 9 deletions

diff --git a/sys-kernel/hardened-dev-sources/Manifest b/sys-kernel/hardened-dev-sources/Manifest
index fad1794c0fe8..11a8d7b720c1 100644
--- a/sys-kernel/hardened-dev-sources/Manifest
+++ b/sys-kernel/hardened-dev-sources/Manifest
@@ -1,13 +1,16 @@
-MD5 6ceac5877bbf8ffb6523d3d671031b73 hardened-dev-sources-2.6.7-r7.ebuild 1089
+MD5 bdfee2c0b8e7e28ca4edf1a0f5fb68ba hardened-dev-sources-2.6.7-r12.ebuild 1325
 MD5 82fb2e488cf74ed7bdb51f1f521c1fe4 hardened-dev-sources-2.6.7-r8.ebuild 1092
-MD5 73174f8e07b82c5df563b7196f87611c metadata.xml 299
 MD5 0b8ab20736a2b68476718b12a797d7ff hardened-dev-sources-2.6.7-r10.ebuild 1163
-MD5 9b11b010b20cf817ea3c7d946d5af5f6 hardened-dev-sources-2.6.7-r11.ebuild 1224
 MD5 0af7a831541e6c25410ddabf057001e6 ChangeLog 7756
-MD5 efbbfbed471c50333a8c2fd2f2b0b061 files/digest-hardened-dev-sources-2.6.7-r7 219
-MD5 0f763833ebbcbf0f2a8ac151454c3b29 files/digest-hardened-dev-sources-2.6.7-r8 219
-MD5 8204afea1d572b49a4a80d8da4eef0c9 files/hardened-dev-sources-2.6.7.CAN-2004-0596.patch 1033
+MD5 73174f8e07b82c5df563b7196f87611c metadata.xml 299
+MD5 6ceac5877bbf8ffb6523d3d671031b73 hardened-dev-sources-2.6.7-r7.ebuild 1089
 MD5 8add7d7ef69d9ff384b7d4f5a0356cc3 files/digest-hardened-dev-sources-2.6.7-r10 219
+MD5 8add7d7ef69d9ff384b7d4f5a0356cc3 files/digest-hardened-dev-sources-2.6.7-r11 219
+MD5 8add7d7ef69d9ff384b7d4f5a0356cc3 files/digest-hardened-dev-sources-2.6.7-r12 219
 MD5 bc48c226344f94535c3ba2e0ce55bf24 files/hardened-dev-sources-2.6.7.CAN-2004-0816.patch 1694
+MD5 8204afea1d572b49a4a80d8da4eef0c9 files/hardened-dev-sources-2.6.7.CAN-2004-0596.patch 1033
 MD5 7e3d1d44b244b238ff3e36bfe1f05c80 files/h-d-s-2.6.7-amd64-kill-vm_force_exec32.patch 871
-MD5 8add7d7ef69d9ff384b7d4f5a0356cc3 files/digest-hardened-dev-sources-2.6.7-r11 219
+MD5 d7ed23c76699efe407ec668eeba30b1e files/hardened-2.6.7-binfmt_aout.patch 983
+MD5 efbbfbed471c50333a8c2fd2f2b0b061 files/digest-hardened-dev-sources-2.6.7-r7 219
+MD5 0f763833ebbcbf0f2a8ac151454c3b29 files/digest-hardened-dev-sources-2.6.7-r8 219
+MD5 8c8057d653a02bface4475a62e2debe0 files/hardened-2.6.7-binfmt_elf.patch 1917
diff --git a/sys-kernel/hardened-dev-sources/files/digest-hardened-dev-sources-2.6.7-r11 b/sys-kernel/hardened-dev-sources/files/digest-hardened-dev-sources-2.6.7-r12
index 3ac31c5a42bf..3ac31c5a42bf 100644
--- a/sys-kernel/hardened-dev-sources/files/digest-hardened-dev-sources-2.6.7-r11
+++ b/sys-kernel/hardened-dev-sources/files/digest-hardened-dev-sources-2.6.7-r12
diff --git a/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_aout.patch b/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_aout.patch
new file mode 100644
index 000000000000..10d60f6295da
--- /dev/null
+++ b/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_aout.patch
@@ -0,0 +1,38 @@
+--- linux-2.6.7-hardened-r10/fs/binfmt_aout.c	2004-11-13 13:44:36.000000000 -0500
++++ linux-2.6.7-hardened-r11/fs/binfmt_aout.c	2004-11-13 14:36:45.551223616 -0500
+@@ -45,13 +45,18 @@
+ 	.min_coredump	= PAGE_SIZE
+ };
+ 
+-static void set_brk(unsigned long start, unsigned long end)
++#define BAD_ADDR(x)    ((unsigned long)(x) >= TASK_SIZE)
++
++static int set_brk(unsigned long start, unsigned long end)
+ {
+ 	start = PAGE_ALIGN(start);
+ 	end = PAGE_ALIGN(end);
+-	if (end <= start)
+-		return;
+-	do_brk(start, end - start);
++	if (end > start) {
++		unsigned long addr = do_brk(start, end - start);
++		if (BAD_ADDR(addr))
++			return addr;
++	}
++	return 0;
+ }
+ 
+ /*
+@@ -441,7 +446,11 @@
+ beyond_if:
+ 	set_binfmt(&aout_format);
+ 
+-	set_brk(current->mm->start_brk, current->mm->brk);
++	retval = set_brk(current->mm->start_brk, current->mm->brk);
++	if (retval < 0) {
++		send_sig(SIGKILL, current, 0);
++		return retval;
++	}
+ 
+ 	retval = setup_arg_pages(bprm, EXSTACK_DEFAULT);
+ 	if (retval < 0) { 
diff --git a/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_elf.patch b/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_elf.patch
new file mode 100644
index 000000000000..224f7c010538
--- /dev/null
+++ b/sys-kernel/hardened-dev-sources/files/hardened-2.6.7-binfmt_elf.patch
@@ -0,0 +1,72 @@
+--- linux-2.6.7-hardened-r10/fs/binfmt_elf.c	2004-11-13 13:44:36.000000000 -0500
++++ linux-2.6.7-hardened-r11/fs/binfmt_elf.c	2004-11-13 13:58:33.000000000 -0500
+@@ -347,9 +347,12 @@
+ 		goto out;
+ 
+ 	retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
+-	error = retval;
+-	if (retval < 0)
++	error = -EIO;
++	if (retval != size) {
++		if (retval < 0)
++			error = retval;
+ 		goto out_close;
++	}
+ 
+ #ifdef CONFIG_PAX_SEGMEXEC
+ 	if (current->flags & PF_PAX_SEGMEXEC)
+@@ -767,8 +770,11 @@
+ 		goto out;
+ 
+ 	retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size);
+-	if (retval < 0)
++	if (retval != size) {
++		if (retval >= 0)
++			retval = -EIO;
+ 		goto out_free_ph;
++	}
+ 
+ 	files = current->files;		/* Refcounted so ok */
+ 	retval = unshare_files();
+@@ -815,8 +821,14 @@
+ 			retval = kernel_read(bprm->file, elf_ppnt->p_offset,
+ 					   elf_interpreter,
+ 					   elf_ppnt->p_filesz);
+-			if (retval < 0)
++			if (retval != elf_ppnt->p_filesz) {
++				if (retval >= 0)
++					retval = -EIO;
+ 				goto out_free_interp;
++			}
++			/* make sure path is NULL terminated */
++			elf_interpreter[elf_ppnt->p_filesz - 1] = '\0';
++			
+ 			/* If the program interpreter is one of these two,
+ 			 * then assume an iBCS2 image. Otherwise assume
+ 			 * a native linux image.
+@@ -851,8 +863,11 @@
+ 			if (IS_ERR(interpreter))
+ 				goto out_free_interp;
+ 			retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE);
+-			if (retval < 0)
++			if (retval != BINPRM_BUF_SIZE) {
++				if (retval >= 0)
++					retval = -EIO;
+ 				goto out_free_dentry;
++			}
+ 
+ 			/* Get the exec headers */
+ 			interp_ex = *((struct exec *) bprm->buf);
+@@ -1105,8 +1120,10 @@
+ 			}
+ #endif
+ 
+-			if (BAD_ADDR(error))
+-				continue;
++			if (BAD_ADDR(error)) {
++				send_sig(SIGKILL, current, 0);
++				goto out_free_dentry;
++			}
+ 
+ 			/* PaX: mirror at a randomized base */
+ 			down_write(&current->mm->mmap_sem);
diff --git a/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r11.ebuild b/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r12.ebuild
index 7ffe3eecacac..e0250a2540a6 100644
--- a/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r11.ebuild
+++ b/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r12.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r11.ebuild,v 1.1 2004/11/11 00:18:19 lv Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/hardened-dev-sources/hardened-dev-sources-2.6.7-r12.ebuild,v 1.1 2004/11/13 20:39:38 method Exp $
 
 IUSE=""
 ETYPE="sources"
@@ -19,7 +19,9 @@ UNIPATCH_EXCLUDE="1315_alpha"
 UNIPATCH_LIST="${DISTDIR}/hardened-patches-${KV_MAJOR}.${KV_MINOR}-${HGPV}.tar.bz2
 		       ${DISTDIR}/genpatches-${KV_MAJOR}.${KV_MINOR}-${GPV}-base.tar.bz2
 			   ${FILESDIR}/hardened-dev-sources-2.6.7.CAN-2004-0816.patch
-			   ${FILESDIR}/h-d-s-2.6.7-amd64-kill-vm_force_exec32.patch"
+			   ${FILESDIR}/h-d-s-2.6.7-amd64-kill-vm_force_exec32.patch
+			   ${FILESDIR}/hardened-2.6.7-binfmt_elf.patch
+			   ${FILESDIR}/hardened-2.6.7-binfmt_aout.patch"
 UNIPATCH_DOCS="${WORKDIR}/patches/hardened-patches-${KV_MAJOR}.${KV_MINOR}-${HGPV}/0000_README"
 
 DESCRIPTION="Hardened sources for the ${KV_MAJOR}.${KV_MINOR} kernel tree"