series

Dann Frazier Sun, 12 Nov 2006 20:03:20 -0800

Author: dannf
Date: Mon Nov 13 05:03:16 2006
New Revision: 7785

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* s390-uaccess-memleak.dpatch
  [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
  remaining bytes of the kernel buffer after a fault on the userspace
  address in copy_from_user()
  See CVE-2006-5174


Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Mon Nov 13 05:03:16 2006
@@ -24,8 +24,13 @@
     [SECURITY][ppc] Avoid potential DoS which can be triggered by some
     futex ops
     See CVE-2006-5649
+  * s390-uaccess-memleak.dpatch
+    [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
+    remaining bytes of the kernel buffer after a fault on the userspace
+    address in copy_from_user()
+    See CVE-2006-5174
 
- -- dann frazier <[EMAIL PROTECTED]>  Sun, 12 Nov 2006 20:13:06 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Sun, 12 Nov 2006 21:02:15 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch
     Mon Nov 13 05:03:16 2006
@@ -0,0 +1,65 @@
+From: Martin Schwidefsky <[EMAIL PROTECTED]>
+Date: Wed, 18 Oct 2006 10:58:07 +0200
+Subject: No Subject
+Message-Id: <[EMAIL PROTECTED]>
+Mime-Version: 1.0
+Content-Transfer-Encoding: 7bit
+
+[S390] user readable uninitialised kernel memory.
+
+A user space program can read uninitialised kernel memory
+by appending to a file from a bad address and then reading
+the result back. The cause is the copy_from_user function
+that does not clear the remaining bytes of the kernel
+buffer after it got a fault on the user space address.
+
+Signed-off-by: Martin Schwidefsky <[EMAIL PROTECTED]>
+---
+ arch/s390/lib/uaccess.S   |   12 +++++++++++-
+ arch/s390/lib/uaccess64.S |   12 +++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess64.S 
linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S
+--- linux-2.6.18.1/arch/s390/lib/uaccess64.S   2006-10-17 13:26:32.000000000 
+0200
++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S      2006-10-17 
13:21:20.000000000 +0200
+@@ -40,7 +40,17 @@ __copy_from_user_asm:
+       # move with the reduced length which is < 256
+ 5:    mvcp    0(%r5,%r2),0(%r4),%r0
+       slgr    %r3,%r5
+-6:    lgr     %r2,%r3
++      algr    %r2,%r5
++6:    lgr     %r5,%r3         # copy remaining size
++      aghi    %r5,-1          # subtract 1 for xc loop
++      bras    %r4,8f
++      xc      0(1,%r2),0(%r2)
++7:    xc      0(256,%r2),0(%r2)
++      la      %r2,256(%r2)
++8:    aghi    %r5,-256
++      jnm     7b
++      ex      %r5,0(%r4)
++9:    lgr     %r2,%r3
+       br      %r14
+         .section __ex_table,"a"
+       .quad   0b,4b
+diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess.S 
linux-2.6.18.1-s390/arch/s390/lib/uaccess.S
+--- linux-2.6.18.1/arch/s390/lib/uaccess.S     2006-10-17 13:26:32.000000000 
+0200
++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess.S        2006-10-17 
13:21:06.000000000 +0200
+@@ -40,7 +40,17 @@ __copy_from_user_asm:
+       # move with the reduced length which is < 256
+ 5:    mvcp    0(%r5,%r2),0(%r4),%r0
+       slr     %r3,%r5
+-6:    lr      %r2,%r3
++      alr     %r2,%r5
++6:    lr      %r5,%r3         # copy remaining size
++      ahi     %r5,-1          # subtract 1 for xc loop
++      bras    %r4,8f
++      xc      0(1,%r2),0(%r2)
++7:    xc      0(256,%r2),0(%r2)
++      la      %r2,256(%r2)
++8:    ahi     %r5,-256
++      jnm     7b
++      ex      %r5,0(%r4)
++9:    lr      %r2,%r3
+       br      %r14
+         .section __ex_table,"a"
+       .long   0b,4b

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
   Mon Nov 13 05:03:16 2006
@@ -4,3 +4,4 @@
 + atm-clip-freed-skb-deref.dpatch
 + ip6_flowlabel-lockup.dpatch
 + ppc-alignment-exception-table-check.dpatch
++ s390-uaccess-memleak.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r7785 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to