From 37205f4a75cdec44d9f93ffadefb7af8738f33c0 Mon Sep 17 00:00:00 2001
From: Tim Yamin <plasmaroo@gentoo.org>
Date: Fri, 12 Nov 2004 17:54:39 +0000
Subject: Patching for binfmt_elf security vulnerability, bug #70681.

---
 .../files/ac-sources-2.6.9.binfmt_elf.patch        | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 sys-kernel/ac-sources/files/ac-sources-2.6.9.binfmt_elf.patch

(limited to 'sys-kernel/ac-sources/files')

diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.binfmt_elf.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.binfmt_elf.patch
new file mode 100644
index 000000000000..92e5db882eab
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.binfmt_elf.patch
@@ -0,0 +1,72 @@
+--- linux-2.4.27/fs/binfmt_elf.c	2004-11-10 12:25:16 -08:00
++++ linux-2.4.27-plasmaroo/fs/binfmt_elf.c	2004-11-10 12:25:16 -08:00
+@@ -335,9 +335,12 @@
+ 		goto out;
+ 
+ 	retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
+-	error = retval;
+-	if (retval < 0)
++	error = -EIO;
++	if (retval != size) {
++		if (retval < 0)
++			error = retval;	
+ 		goto out_close;
++	}
+ 
+ 	eppnt = elf_phdata;
+ 	for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
+@@ -532,8 +535,11 @@
+ 		goto out;
+ 
+ 	retval = kernel_read(bprm->file, loc->elf_ex.e_phoff, (char *) elf_phdata, size);
+-	if (retval < 0)
++	if (retval != size) {
++		if (retval >= 0)
++			retval = -EIO;
+ 		goto out_free_ph;
++	}
+ 
+ 	files = current->files;		/* Refcounted so ok */
+ 	retval = unshare_files();
+@@ -580,8 +586,14 @@
+ 			retval = kernel_read(bprm->file, elf_ppnt->p_offset,
+ 					   elf_interpreter,
+ 					   elf_ppnt->p_filesz);
+-			if (retval < 0)
++			if (retval != elf_ppnt->p_filesz) {
++				if (retval >= 0)
++					retval = -EIO;
+ 				goto out_free_interp;
++			}
++			/* make sure path is NULL terminated */
++			elf_interpreter[elf_ppnt->p_filesz - 1] = '\0';
++
+ 			/* If the program interpreter is one of these two,
+ 			 * then assume an iBCS2 image. Otherwise assume
+ 			 * a native linux image.
+@@ -616,8 +628,11 @@
+ 			if (IS_ERR(interpreter))
+ 				goto out_free_interp;
+ 			retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE);
+-			if (retval < 0)
++			if (retval != BINPRM_BUF_SIZE) {
++				if (retval >= 0)
++					retval = -EIO;
+ 				goto out_free_dentry;
++			}
+ 
+ 			/* Get the exec headers */
+ 			loc->interp_ex = *((struct exec *) bprm->buf);
+@@ -776,8 +791,10 @@
+ 		}
+ 
+ 		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
+-		if (BAD_ADDR(error))
+-			continue;
++		if (BAD_ADDR(error)) {
++			send_sig(SIGKILL, current, 0);
++			goto out_free_dentry;
++		}
+ 
+ 		if (!load_addr_set) {
+ 			load_addr_set = 1;
-- 
cgit v1.2.3-65-gdbad