Author: dannf
Date: Mon Nov 13 05:00:56 2006
New Revision: 7784
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/236_s390-uaccess-memleak.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Log:
* 236_s390-uaccess-memleak.diff
[SECURITY][s390] Fix memory leak in copy_from_user by clearing the
remaining bytes of the kernel buffer after a fault on the userspace
address in copy_from_user()
See CVE-2006-5174
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Mon Nov 13 05:00:56 2006
@@ -12,8 +12,13 @@
[SECURITY][ppc] Avoid potential DoS which can be triggered by some
futex ops
See CVE-2006-5649
+ * 236_s390-uaccess-memleak.diff
+ [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
+ remaining bytes of the kernel buffer after a fault on the userspace
+ address in copy_from_user()
+ See CVE-2006-5174
- -- dann frazier <[EMAIL PROTECTED]> Sun, 12 Nov 2006 20:17:24 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Sun, 12 Nov 2006 20:58:14 -0700
kernel-source-2.4.27 (2.4.27-10sarge4) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/236_s390-uaccess-memleak.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/236_s390-uaccess-memleak.diff
Mon Nov 13 05:00:56 2006
@@ -0,0 +1,103 @@
+From: Martin Schwidefsky <[EMAIL PROTECTED]>
+Date: Wed, 18 Oct 2006 10:58:07 +0200
+Subject: No Subject
+Message-Id: <[EMAIL PROTECTED]>
+Mime-Version: 1.0
+Content-Transfer-Encoding: 7bit
+
+[S390] user readable uninitialised kernel memory.
+
+A user space program can read uninitialised kernel memory
+by appending to a file from a bad address and then reading
+the result back. The cause is the copy_from_user function
+that does not clear the remaining bytes of the kernel
+buffer after it got a fault on the user space address.
+
+Signed-off-by: Martin Schwidefsky <[EMAIL PROTECTED]>
+---
+ arch/s390/lib/uaccess.S | 16 +++++++++++-----
+ arch/s390x/lib/uaccess.S | 16 +++++++++++-----
+ 2 files changed, 22 insertions(+), 10 deletions(-)
+
+diff -urpN linux-2.4/arch/s390/lib/uaccess.S
linux-2.4-patched/arch/s390/lib/uaccess.S
+--- linux-2.4/arch/s390/lib/uaccess.S 2003-06-13 16:51:32.000000000 +0200
++++ linux-2.4-patched/arch/s390/lib/uaccess.S 2006-10-17 18:39:54.000000000
+0200
+@@ -19,8 +19,8 @@ __copy_from_user_asm:
+ sacf 512
+ 0: mvcle %r2,%r4,0
+ jo 0b
+-1: sacf 0
+ lr %r2,%r5
++1: sacf 0
+ br %r14
+ 2: lhi %r1,-4096
+ lr %r3,%r4
+@@ -28,17 +28,23 @@ __copy_from_user_asm:
+ nr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
+ slr %r3,%r4 # %r3 = #bytes to next user page boundary
+ clr %r5,%r3 # copy crosses next page boundary ?
+- jnh 1b # no, this page fauled
++ jnh 4f # no, this page faulted
+ # The page after the current user page might have faulted.
+- # We cant't find out which page because the program check handler
+- # might have callled schedule, destroying all lowcore information.
++ # We can't find out which page because the program check handler
++ # might have called schedule, destroying all lowcore information.
+ # We retry with the shortened length.
+ 3: mvcle %r2,%r4,0
+ jo 3b
++4: lr %r1,%r5 # pad remaining bytes with 0
++ lr %r3,%r5
++ slr %r5,%r5
++5: mvcle %r2,%r4,0
++ jo 5b
++ lr %r2,%r1
+ j 1b
+ .section __ex_table,"a"
+ .long 0b,2b
+- .long 3b,1b
++ .long 3b,4b
+ .previous
+
+ .align 4
+diff -urpN linux-2.4/arch/s390x/lib/uaccess.S
linux-2.4-patched/arch/s390x/lib/uaccess.S
+--- linux-2.4/arch/s390x/lib/uaccess.S 2003-06-13 16:51:32.000000000 +0200
++++ linux-2.4-patched/arch/s390x/lib/uaccess.S 2006-10-17 18:40:03.000000000
+0200
+@@ -19,8 +19,8 @@ __copy_from_user_asm:
+ sacf 512
+ 0: mvcle %r2,%r4,0
+ jo 0b
+-1: sacf 0
+ lgr %r2,%r5
++1: sacf 0
+ br %r14
+ 2: lghi %r1,-4096
+ lgr %r3,%r4
+@@ -28,17 +28,23 @@ __copy_from_user_asm:
+ ngr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
+ slgr %r3,%r4 # %r3 = #bytes to next user page boundary
+ clgr %r5,%r3 # copy crosses next page boundary ?
+- jnh 1b # no, this page fauled
++ jnh 4f # no, this page faulted
+ # The page after the current user page might have faulted.
+- # We cant't find out which page because the program check handler
+- # might have callled schedule, destroying all lowcore information.
++ # We can't find out which page because the program check handler
++ # might have called schedule, destroying all lowcore information.
+ # We retry with the shortened length.
+ 3: mvcle %r2,%r4,0
+ jo 3b
++4: lgr %r1,%r5 # pad remaining bytes with 0
++ lgr %r3,%r5
++ slgr %r5,%r5
++5: mvcle %r2,%r4,0
++ jo 5b
++ lgr %r2,%r1
+ j 1b
+ .section __ex_table,"a"
+ .quad 0b,2b
+- .quad 3b,1b
++ .quad 3b,4b
+ .previous
+
+ .align 4
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Mon Nov 13 05:00:56 2006
@@ -1,3 +1,4 @@
+ 233_ia64-sparc-cross-region-mappings.diff
+ 234_atm-clip-freed-skb-deref.diff
+ 235_ppc-alignment-exception-table-check.diff
++ 236_s390-uaccess-memleak.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
