rpms/kernel/F-11 add-fno-delete-null-pointer-checks-to-gcc-cflags.patch, NONE, 1.1.2.1 kernel.spec, 1.1679.2.2, 1.1679.2.3

Chuck Ebbert cebbert at fedoraproject.org
Wed Jul 29 19:17:25 UTC 2009 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21777

Modified Files:
      Tag: private-fedora-11-2_6_29_6
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_29_6
	add-fno-delete-null-pointer-checks-to-gcc-cflags.patch 
Log Message:
Don't optimize away NULL pointer tests where pointer is used before the test.
  (CVE-2009-1897)

add-fno-delete-null-pointer-checks-to-gcc-cflags.patch:
 Makefile |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- NEW FILE add-fno-delete-null-pointer-checks-to-gcc-cflags.patch ---
>From a3ca86aea507904148870946d599e07a340b39bf Mon Sep 17 00:00:00 2001
From: Eugene Teo <eteo at redhat.com>
Date: Wed, 15 Jul 2009 14:59:10 +0800
Subject: Add '-fno-delete-null-pointer-checks' to gcc CFLAGS

From: Eugene Teo <eteo at redhat.com>

commit a3ca86aea507904148870946d599e07a340b39bf upstream.

Turning on this flag could prevent the compiler from optimising away
some "useless" checks for null pointers.  Such bugs can sometimes become
exploitable at compile time because of the -O2 optimisation.

See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html

An example that clearly shows this 'problem' is commit 6bf67672.

 static void __devexit agnx_pci_remove(struct pci_dev *pdev)
 {
     struct ieee80211_hw *dev = pci_get_drvdata(pdev);
-    struct agnx_priv *priv = dev->priv;
+    struct agnx_priv *priv;
     AGNX_TRACE;

     if (!dev)
         return;
+    priv = dev->priv;

By reverting this patch, and compile it with and without
-fno-delete-null-pointer-checks flag, we can see that the check for dev
is compiled away.

    call    printk  #
-   testq   %r12, %r12  # dev
-   je  .L94    #,
    movq    %r12, %rdi  # dev,

Clearly the 'fix' is to stop using dev before it is tested, but building
with -fno-delete-null-pointer-checks flag at least makes it harder to
abuse.

Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
Acked-by: Eric Paris <eparis at redhat.com>
Acked-by: Wang Cong <amwang at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 Makefile |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/Makefile
+++ b/Makefile
@@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXI
 
 KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		   -fno-strict-aliasing -fno-common \
-		   -Werror-implicit-function-declaration
+		   -Werror-implicit-function-declaration \
+		   -fno-delete-null-pointer-checks
 KBUILD_AFLAGS   := -D__ASSEMBLY__
 
 # Read KERNELRELEASE from include/config/kernel.release (if it exists)


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1679.2.2
retrieving revision 1.1679.2.3
diff -u -p -r1.1679.2.2 -r1.1679.2.3
--- kernel.spec	29 Jul 2009 17:08:18 -0000	1.1679.2.2
+++ kernel.spec	29 Jul 2009 19:17:24 -0000	1.1679.2.3
@@ -814,6 +814,9 @@ Patch11130: via-hwmon-temp-sensor.patch
 Patch12000: security-use-mmap_min_addr-indepedently-of-security-models.patch
 Patch12010: personality-fix-per_clear_on_setid.patch
 
+# make gcc stop optimizing away null pointer tests
+Patch13000: add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1524,6 +1527,9 @@ ApplyPatch linux-2.6-x86-delay-tsc-barri
 ApplyPatch security-use-mmap_min_addr-indepedently-of-security-models.patch
 ApplyPatch personality-fix-per_clear_on_setid.patch
 
+# don't optimize out null pointer tests
+ApplyPatch add-fno-delete-null-pointer-checks-to-gcc-cflags.patch
+
 # VIA: add 64-bit padlock support, sdmmc driver, temp sensor driver
 ApplyPatch via-centaur-merge-32-64-bit-init.patch
 ApplyPatch via-padlock-fix-might-sleep.patch
@@ -2121,6 +2127,10 @@ fi
 # and build.
 
 %changelog
+* Wed Jul 29 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.29.6-217.2.3
+- Don't optimize away NULL pointer tests where pointer is used before the test.
+  (CVE-2009-1897)
+
 * Wed Jul 29 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.29.6-217.2.2
 - Fix mmap_min_addr security bugs (CVE-2009-1895)

More information about the fedora-extras-commits mailing list