series

Dann Frazier Mon, 27 Aug 2007 21:34:35 -0700

Author: dannf
Date: Tue Aug 28 04:34:33 2007
New Revision: 9386

Log:
* bugfix/cpuset_tasks-underflow.patch
  [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
  local attackers to read sensitive kernel memory if the cpuset filesystem
  is mounted.
  See CVE-2007-2875


Added:
   
dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Tue Aug 28 04:34:33 2007
@@ -4,8 +4,13 @@
     [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
     and check for out of bounds condition in index provided by userspace
     See CVE-2007-2172
+  * bugfix/cpuset_tasks-underflow.patch
+    [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+    local attackers to read sensitive kernel memory if the cpuset filesystem
+    is mounted.
+    See CVE-2007-2875
 
- -- dann frazier <[EMAIL PROTECTED]>  Mon, 27 Aug 2007 22:16:19 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Mon, 27 Aug 2007 22:32:44 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
    Tue Aug 28 04:34:33 2007
@@ -0,0 +1,61 @@
+From: Akinobu Mita <[EMAIL PROTECTED]>
+Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
+Subject: use simple_read_from_buffer in kernel/
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
+
+use simple_read_from_buffer in kernel/
+
+Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
+/proc/config.gz.
+
+Cc: Paul Jackson <[EMAIL PROTECTED]>
+Cc: Randy Dunlap <[EMAIL PROTECTED]>
+Signed-off-by: Akinobu Mita <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN linux-source-2.6.18.orig/kernel/configs.c 
linux-source-2.6.18/kernel/configs.c
+--- linux-source-2.6.18.orig/kernel/configs.c  2006-09-19 21:42:06.000000000 
-0600
++++ linux-source-2.6.18/kernel/configs.c       2007-08-27 22:30:10.774211736 
-0600
+@@ -61,18 +61,9 @@ static ssize_t
+ ikconfig_read_current(struct file *file, char __user *buf,
+                     size_t len, loff_t * offset)
+ {
+-      loff_t pos = *offset;
+-      ssize_t count;
+-
+-      if (pos >= kernel_config_data_size)
+-              return 0;
+-
+-      count = min(len, (size_t)(kernel_config_data_size - pos));
+-      if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
+-              return -EFAULT;
+-
+-      *offset += count;
+-      return count;
++      return simple_read_from_buffer(buf, len, offset,
++                                     kernel_config_data + MAGIC_SIZE,
++                                     kernel_config_data_size);
+ }
+ 
+ static struct file_operations ikconfig_file_ops = {
+diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c 
linux-source-2.6.18/kernel/cpuset.c
+--- linux-source-2.6.18.orig/kernel/cpuset.c   2006-09-19 21:42:06.000000000 
-0600
++++ linux-source-2.6.18/kernel/cpuset.c        2007-08-27 22:30:10.778211823 
-0600
+@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct 
+ {
+       struct ctr_struct *ctr = file->private_data;
+ 
+-      if (*ppos + nbytes > ctr->bufsz)
+-              nbytes = ctr->bufsz - *ppos;
+-      if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+-              return -EFAULT;
+-      *ppos += nbytes;
+-      return nbytes;
++      return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+ 
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch2 Tue Aug 28 
04:34:33 2007
@@ -1 +1,2 @@
 + bugfix/ipv4-fib_props-out-of-bounds.patch
++ bugfix/cpuset_tasks-underflow.patch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r9386 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Reply via email to