[kernel] r14151 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Aug 20 20:29:34 UTC 2009
Author: dannf
Date: Thu Aug 20 20:29:33 2009
New Revision: 14151
Log:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
(CVE-2009-2847)
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
- copied unchanged from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
- copied unchanged from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/24etch4
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog Thu Aug 20 20:21:44 2009 (r14150)
+++ dists/etch-security/linux-2.6/debian/changelog Thu Aug 20 20:29:33 2009 (r14151)
@@ -1,6 +1,8 @@
linux-2.6 (2.6.18.dfsg.1-24etch4) UNRELEASED; urgency=high
* [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
+ * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+ (CVE-2009-2847)
-- dann frazier <dannf at debian.org> Thu, 20 Aug 2009 14:20:23 -0600
Copied: dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch (from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch Thu Aug 20 20:29:33 2009 (r14151, copy of r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
@@ -0,0 +1,61 @@
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 10:34:56 2009 -0700
+
+ do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+
+ Ulrich Drepper correctly points out that there is generally padding in
+ the structure on 64-bit hosts, and that copying the structure from
+ kernel to user space can leak information from the kernel stack in those
+ padding bytes.
+
+ Avoid the whole issue by just copying the three members one by one
+ instead, which also means that the function also can avoid the need for
+ a stack frame. This also happens to match how we copy the new structure
+ from user space, so it all even makes sense.
+
+ [ The obvious solution of adding a memset() generates horrid code, gcc
+ does really stupid things. ]
+
+ Reported-by: Ulrich Drepper <drepper at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:03:20.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
+@@ -2414,11 +2414,9 @@ do_sigaltstack (const stack_t __user *us
+ stack_t oss;
+ int error;
+
+- if (uoss) {
+- oss.ss_sp = (void __user *) current->sas_ss_sp;
+- oss.ss_size = current->sas_ss_size;
+- oss.ss_flags = sas_ss_flags(sp);
+- }
++ oss.ss_sp = (void __user *) current->sas_ss_sp;
++ oss.ss_size = current->sas_ss_size;
++ oss.ss_flags = sas_ss_flags(sp);
+
+ if (uss) {
+ void __user *ss_sp;
+@@ -2461,13 +2459,16 @@ do_sigaltstack (const stack_t __user *us
+ current->sas_ss_size = ss_size;
+ }
+
++ error = 0;
+ if (uoss) {
+ error = -EFAULT;
+- if (copy_to_user(uoss, &oss, sizeof(oss)))
++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ goto out;
++ error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++ __put_user(oss.ss_size, &uoss->ss_size) |
++ __put_user(oss.ss_flags, &uoss->ss_flags);
+ }
+
+- error = 0;
+ out:
+ return error;
+ }
Copied: dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch (from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch Thu Aug 20 20:29:33 2009 (r14151, copy of r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch)
@@ -0,0 +1,35 @@
+commit 0dd8486b5cfe8048e0613334659d9252ecd1b08a
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 11:18:56 2009 -0700
+
+ do_sigaltstack: small cleanups
+
+ The previous commit ("do_sigaltstack: avoid copying 'stack_t' as a
+ structure to user space") fixed a real bug. This one just cleans up the
+ copy from user space to that gcc can generate better code for it (and so
+ that it looks the same as the later copy back to user space).
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:05:13.000000000 -0600
+@@ -2424,10 +2424,12 @@ do_sigaltstack (const stack_t __user *us
+ int ss_flags;
+
+ error = -EFAULT;
+- if (!access_ok(VERIFY_READ, uss, sizeof(*uss))
+- || __get_user(ss_sp, &uss->ss_sp)
+- || __get_user(ss_flags, &uss->ss_flags)
+- || __get_user(ss_size, &uss->ss_size))
++ if (!access_ok(VERIFY_READ, uss, sizeof(*uss)))
++ goto out;
++ error = __get_user(ss_sp, &uss->ss_sp) |
++ __get_user(ss_flags, &uss->ss_flags) |
++ __get_user(ss_size, &uss->ss_size);
++ if (error)
+ goto out;
+
+ error = -EPERM;
Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch4
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch4 Thu Aug 20 20:21:44 2009 (r14150)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch4 Thu Aug 20 20:29:33 2009 (r14151)
@@ -1 +1,3 @@
+ bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch
++ bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
++ bugfix/all/do_sigaltstack-small-cleanups.patch
More information about the Kernel-svn-changes
mailing list