Time to start patching kernels...
Henrik Carlqvist
http://linux.slashdot.org/story/09/08/13/2022212/Local-Privilege-Escalation-On-All-Linux-Kernels
now has been adressed by patches for Slackware 12.2 and Slackware 12.1.
As I have some systems running older versions of Slackware I have choosen
to patch the kernel myself. On Slackware 12.0 and Slamd64 12.1 I applied
the following patch to the kernel, this patch is almost an exact copy of
the patch published by Linus:
-8<----------------------------------------------------
--- old/net/socket.c 2009-08-14 15:42:38.000000000 +0200
+++ linux-2.6.24.5/net/socket.c 2009-08-14 15:42:20.000000000 +0200
@@ -688,7 +688,7 @@
if (more)
flags |= MSG_MORE;
- return sock->ops->sendpage(sock, page, offset, size, flags);
+ return kernel_sendpage(sock, page, offset, size, flags);
}
static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,
-8<----------------------------------------------------
Slackware 9.1 runs a 2.4 kernel, there I also had to add the
kernel_sendpage function in the patch. Unfortunately I forgot that file at
work, but please let me know if you want that patch, I can post it here. I
simply copied the kernel_sendpage function from the 2.6 kernel source in
Slackware 12.0.
As I have many machines with different custom kernel configurations I have
written a Makefile which applies patches, compiles kernels with different
configurations and creates installation isos and slackware-patch-packages
with the new kernels. If someone finds that Makefile useful I post it here:
-8<----------------------------------------------------
PACKAGE_DIRS = $(shell find ../slackware/ \( -type d -o -type l \) \
-exec basename {} \;| \
grep -v slackware | grep -v PACKAGES.TXT )
KERNELS = $(shell find kernels/ \( -type d -o -type l \) \
-exec basename {} \;| \
grep -v kernels | sort | xargs echo )
BZIMAGES = $(KERNELS:%=kernels/%/bzImage)
KERNEL_VERSION = 2.6.24.5
LINUX_SRC = kernel_and_patches/linux-$(KERNEL_VERSION).tar.gz
PATCHES = $(wildcard kernel_and_patches/*.patch)
PKG_BUILD_DIR = /var/tmp/pkg_build
KERNEL_BUILD_DIR = /var/tmp/kernel_build/linux-$(KERNEL_VERSION)
.INTERMEDIATE: $(KERNEL_BUILD_DIR) $(PKG_BUILD_DIR)
KERNEL_PATCH_PKG_DIR = slackware/kernel-upgrades
PREV_PATCH_NR = $(shell ((ls $(KERNEL_PATCH_PKG_DIR)/*.tgz 2> /dev/null || \
echo 1) | \
sed -e 's/.tgz//' | \
awk 'BEGIN {FS="-"} ; {print $$NF}' | sort | tail -1))
PATCH_NR = $(strip $(shell (ls $(KERNEL_PATCH_PKG_DIR)/*.tgz 2> /dev/null || \
echo 0) | \
sed -e 's/.tgz//' | \
awk 'BEGIN {FS="-"} ; {print $$NF}' | sort | tail -1 | \
xargs echo 1+ | bc ))
PREV_PATCH_PKG_FILE= kernel-patches-$(KERNEL_VERSION)-i486-$(PREV_PATCH_NR).tgz
KERNEL_PATCH_PKG_FILE = kernel-patches-$(KERNEL_VERSION)-i486-$(PATCH_NR).tgz
PREV_PATCH_PKG = $(KERNEL_PATCH_PKG_DIR)/$(PREV_PATCH_PKG_FILE)
KERNEL_PATCH_PKG= $(shell pwd)/$(KERNEL_PATCH_PKG_DIR)/$(KERNEL_PATCH_PKG_FILE)
# Clean up kernel build directory
all: /var/tmp/dvd_install.iso
$(RM) -r $(KERNEL_BUILD_DIR) $(PKG_BUILD_DIR)
# Only one kernel can be built at a time
.NOTPARALLEL:
/var/tmp/dvd_install.iso: nfs_install.iso isolinux/setpkg.nfs \
$(filter-out $(wildcard /huge/henca/tmp), \
/huge/henca/tmp) \
$(wildcard slackware/*/*) \
$(PREV_PATCH_PKG)
cd isolinux && ln -sf setpkg.dvd setpkg && cd ..
mkisofs -o $@ \
-R -J -V "SBD Slamd121 Install `date +%y%m%d`" \
-hide-rr-moved -f\
-v -d -N -no-emul-boot -boot-load-size 4 -boot-info-table \
-sort isolinux/iso.sort \
-b isolinux/isolinux.bin \
-c isolinux/isolinux.boot \
-x initrd_src \
-A "SBD Slamd121 Install DVD" .
echo $@ created
/huge/henca/tmp:
mkdir -p $@
nfs_install.iso: isolinux/isolinux.cfg \
isolinux/message.txt \
isolinux/initrd.img \
isolinux/setpkg.nfs \
$(wildcard isolinux/*.img isolinux/*.dsk)
cd isolinux && ln -sf setpkg.nfs setpkg && cd ..
mkisofs -o $@ \
-R -J -V "SBD Slamd121 NFS Install `date +%y%m%d`" \
-hide-rr-moved -f\
-v -d -N -no-emul-boot -boot-load-size 4 -boot-info-table \
-sort isolinux/iso.sort \
-b isolinux/isolinux.bin \
-c isolinux/isolinux.boot \
-x slackware \
-x nfs_install.iso \
-x initrd_src \
-A "SBD Slamd121 NFS Install CD" .
isolinux/isolinux.cfg: isolinux/isolinux.cfg.start isolinux/message.txt
cp $@.start $@
for KERNEL in $(KERNELS); do \
echo "label $$KERNEL" >> $@; \
echo "kernel /kernels/$$KERNEL/bzImage" >> $@; \
echo -n "append initrd=initrd.img load_ramdisk=1 " >> $@; \
echo "prompt_ramdisk=0 rw SLACK_KERNEL=$$KERNEL" >> $@; \
done
isolinux/message.txt: isolinux/message.txt.start $(BZIMAGES)
cp $@.start $@
echo $(KERNELS) | fold -s >> $@
isolinux/initrd.img: initrd_src $(shell find initrd_src -type d -o -type f )
cd $< && find . | cpio -o -H newc | gzip > ../$@
initrd_src:
ifeq ($(shell whoami),root)
mkdir $@ && cd $@ && gzip -d < ../isolinux/initrd.img | cpio -i
else
@echo Run \"make initrd_src\" as root! && false
endif
slack_dirs:
find slackware -type l -exec $(RM) {} \;
cd slackware && \
ln -s $(foreach DIR, $(PACKAGE_DIRS), ../../slackware/$(DIR)) .
kernels/%/bzImage: $(KERNEL_BUILD_DIR) kernels/%/config
echo Compiling $@
cp $(@D)/config $</.config
cd $< && make bzImage
$(RM) $(@D)/System.map.gz
cp $</arch/x86_64/boot/bzImage $@
cp $</System.map $(@D)
gzip -9 $(@D)/System.map
$(KERNEL_BUILD_DIR): $(LINUX_SRC) $(wildcard kernels/*/config) $(PATCHES)
mkdir -p $(@D)
cat $< | (cd $(@D) && tar -xzvf -)
$(foreach PATCH, $(PATCHES), \
cat $(PATCH) | (cd $@ && patch -p1) &&) true;
$(PREV_PATCH_PKG): $(BZIMAGES)
( echo " Patched kernel" && echo && \
tail -9 kernel_and_patches/patches.txt | \
awk '{$$1=""; print $$0}' && printf "\n\n\n\n\n\n\n\n\n\n" ) | \
sed -e 's/^/kernel-patches:/' | head -11 > \
$(KERNEL_PATCH_PKG:%.tgz=%.txt)
mkdir -p $(PKG_BUILD_DIR)/install/new_kernels
cp -rp $(KERNELS:%=kernels/%) $(PKG_BUILD_DIR)/install/new_kernels
cp kernel_and_patches/doinst.sh $(PKG_BUILD_DIR)/install
cd $(PKG_BUILD_DIR) && /sbin/makepkg -c n $(KERNEL_PATCH_PKG)
-8<----------------------------------------------------
The above Makefile is for a customized installation of Slamd64 12.1, but
the same idea also works for Slackware.
The created kernel patch packages contain the following doinst.sh:
-8<----------------------------------------------------
#!/bin/bash
kernel=`file boot/vmlinuz | colrm 1 32 | xargs -0 dirname`
if [ "$kernel" == "." ]; then
# Fallback for old machines not having kernel in subdir of /boot
kernel=hugesmp.s
ln -sf ${kernel}/bzImage boot/vmlinuz
ln -sf ${kernel}/config boot/config
ln -sf ${kernel}/System.map boot/System.map
fi
if [ -d install/new_kernels/$kernel ]; then
mkdir -p boot/old_kernels
if [ install/new_kernels/${kernel}/bzImage -nt boot/${kernel}/bzImage ]; then
mv boot/$kernel boot/old_kernels/${kernel}.`date +%y%m%d` || true
cp -rp install/new_kernels/$kernel boot
gunzip boot/${kernel}/System.map.gz
chown -R root.root boot
# Doing this more than once might help against "volid read error" from
# removable discs
lilo -r .
sleep 1
lilo -r .
sleep 1
lilo -r .
fi
rm -r install/new_kernels
else
echo New kernel for $kernel is missing!
fi
-8<----------------------------------------------------
With the above semi-automatic created kernel-packages and a cron job on
each machine that installs patch packages every night each machine will
get a patched version of a kernel with the same configuration as it had
before. Please note however that a reboot is also needed for the newly
installed kernel to become active.
It takes som more work than just simply running "make". A directory
structure must be populated with kernel configuration files and to also
get useful isos a complete directory structure with slackware installation
files is needed. However if you are in an organisation where there are
many machines to manage this kind of Makefile is really useful.
regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc3(at)poolhem.se Examples of addresses which go to spammers:
root@localhost postmaster@localhost
Grant
>The recently found security hole in the Linux kernel
>http://linux.slashdot.org/story/09/08/13/2022212/Local-Privilege-Escalation-On-All-Linux-Kernels
>now has been adressed by patches for Slackware 12.2 and Slackware 12.1.
>
>As I have some systems running older versions of Slackware I have choosen
>to patch the kernel myself.
Thanks for the info Henrik :)
I update to the latest kernel stable version.
For Slackware-11 I run the latest 2.6.27.nn version because 2.6.27 is
on extended support, as I've not updated to latest iptables user-space
there.
Willy T. hasn't put up a 2.4 patch yet (or I missed it), but I no
longer use 2.4 series here.
Grant.
--
http://bugsplatter.id.au
Res
On Fri, 21 Aug 2009, Grant wrote:
>
>
> I update to the latest kernel stable version.
Dont use 2.6.30.5 :) we found tcp issues, talking to the NFS server
usually it can happily thrash away, you can ping the crap out of it at 5000
bytes and it still never gets above 0.160ms, but with 2.6.30.5, it jumps all
over the shop, goes up to 15ms :) reverted to .4,and all back to normal
again.
--
Res
-Beware of programmers who carry screwdrivers
Beej Jorgensen
> Dont use 2.6.30.5 :) we found tcp issues, talking to the NFS server
> usually it can happily thrash away, you can ping the crap out of it
> at 5000 bytes and it still never gets above 0.160ms, but with
> 2.6.30.5, it jumps all over the shop, goes up to 15ms :) reverted to
> .4,and all back to normal again.
Funky. CNR on my machine with ping on 2.6.30.5. Wonder if it's
something specific to the hardware driver...?
-Beej
Res
one uses broadcom, and another tg3, i'll wait for .6 before trying again.