Author: dannf Date: Sat May 20 07:28:49 2006 New Revision: 6640 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-strnlen_user-return.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log: * s390-strnlen_user-return.dpatch [SECURITY][s390] Fix local DoS on s390 that may result from strnlen_user returning a value that is too large See CVE-2006-0456 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat May 20 07:28:49 2006 @@ -77,8 +77,12 @@ netfilter that allows local users with CAP_NET_ADMIN capabilities to read kernel memory See CVE-2006-0039 + * s390-strnlen_user-return.dpatch + [SECURITY][s390] Fix local DoS on s390 that may result from strnlen_user + returning a value that is too large + See CVE-2006-0456 - -- dann frazier <[EMAIL PROTECTED]> Sat, 20 May 2006 02:15:22 -0500 + -- dann frazier <[EMAIL PROTECTED]> Sat, 20 May 2006 02:25:23 -0500 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-strnlen_user-return.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-strnlen_user-return.dpatch Sat May 20 07:28:49 2006 @@ -0,0 +1,55 @@ +From: Gerald Schaefer <[EMAIL PROTECTED]> +Date: Wed, 8 Mar 2006 05:55:37 +0000 (-0800) +Subject: [PATCH] s390: fix strnlen_user return value +X-Git-Tag: v2.6.16-rc6 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=331c46591414f7f92b1cec048009abe89892ee79 + +[PATCH] s390: fix strnlen_user return value + +strnlen_user is supposed to return then length count + 1 if no terminating \0 +is found, and it should return 0 on exception. Found by David Howells +<[EMAIL PROTECTED]>. + +Signed-off-by: Gerald Schaefer <[EMAIL PROTECTED]> +Signed-off-by: Heiko Carstens <[EMAIL PROTECTED]> +Acked-By: David Howells <[EMAIL PROTECTED]> +Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +--- a/arch/s390/lib/uaccess.S ++++ b/arch/s390/lib/uaccess.S +@@ -198,12 +198,12 @@ __strnlen_user_asm: + 0: srst %r2,%r1 + jo 0b + sacf 0 +- jh 1f # \0 found in string ? + ahi %r2,1 # strnlen_user result includes the \0 +-1: slr %r2,%r3 ++ # or return count+1 if \0 not found ++ slr %r2,%r3 + br %r14 + 2: sacf 0 +- lhi %r2,-EFAULT ++ slr %r2,%r2 # return 0 on exception + br %r14 + .section __ex_table,"a" + .long 0b,2b +--- a/arch/s390/lib/uaccess64.S ++++ b/arch/s390/lib/uaccess64.S +@@ -194,12 +194,12 @@ __strnlen_user_asm: + 0: srst %r2,%r1 + jo 0b + sacf 0 +- jh 1f # \0 found in string ? + aghi %r2,1 # strnlen_user result includes the \0 +-1: slgr %r2,%r3 ++ # or return count+1 if \0 not found ++ slgr %r2,%r3 + br %r14 + 2: sacf 0 +- lghi %r2,-EFAULT ++ slgr %r2,%r2 # return 0 on exception + br %r14 + .section __ex_table,"a" + .quad 0b,2b Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Sat May 20 07:28:49 2006 @@ -21,3 +21,4 @@ + amd64-fp-reg-leak-dep3.dpatch + amd64-fp-reg-leak.dpatch + do_add_counters-race.dpatch ++ s390-strnlen_user-return.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes