[kernel] r7182 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Thu Aug 17 06:26:09 UTC 2006 

Author: dannf
Date: Thu Aug 17 06:26:07 2006
New Revision: 7182

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sg-no-mmap-VM_IO.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* sg-no-mmap-VM_IO.dpatch
  [SECURITY] Fix DoS vulnerability whereby a local user could attempt
  a dio/mmap and cause the sg driver to oops.
  See CVE-2006-1528

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Thu Aug 17 06:26:07 2006
@@ -28,8 +28,12 @@
   * netfilter-SO_ORIGINAL_DST-leak.dpatch
     [SECURITY] Fix information leak in SO_ORIGINAL_DST
     See CVE-2006-1343
+  * sg-no-mmap-VM_IO.dpatch
+    [SECURITY] Fix DoS vulnerability whereby a local user could attempt
+    a dio/mmap and cause the sg driver to oops.
+    See CVE-2006-1528
 
- -- dann frazier <dannf at debian.org>  Thu, 17 Aug 2006 00:14:02 -0600
+ -- dann frazier <dannf at debian.org>  Thu, 17 Aug 2006 00:23:16 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Thu Aug 17 06:26:07 2006
@@ -5,3 +5,4 @@
 + usb-serial-ftdi_sio-dos.dpatch
 + selinux-tracer-SID-fix.dpatch
 + netfilter-SO_ORIGINAL_DST-leak.dpatch
++ sg-no-mmap-VM_IO.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sg-no-mmap-VM_IO.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sg-no-mmap-VM_IO.dpatch	Thu Aug 17 06:26:07 2006
@@ -0,0 +1,49 @@
+diff -Naru a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+--- a/drivers/scsi/sg.c	2006-08-17 07:30:31 -07:00
++++ b/drivers/scsi/sg.c	2006-08-17 07:30:31 -07:00
+@@ -1299,7 +1299,7 @@
+ 		sg_rb_correct4mmap(rsv_schp, 1);	/* do only once per fd lifetime */
+ 		sfp->mmap_called = 1;
+ 	}
+-	vma->vm_flags |= (VM_RESERVED | VM_IO);
++	vma->vm_flags |= VM_RESERVED;
+ 	vma->vm_private_data = sfp;
+ 	vma->vm_ops = &sg_mmap_vm_ops;
+ 	return 0;
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/09/09 16:37:05-05:00 dougg at torque.net 
+#   [SCSI] sg: do not set VM_IO flag on mmap-ed pages
+#   
+#   Further to the problem discussed in this post:
+#   http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2
+#   
+#   It seems that the sg driver does not need to set the VM_IO flag
+#   on pages that it memory maps to the user space since they are
+#   not from the IO space. Ahmed Teirelbar <ahmed.teirelbar at adic.com>
+#   wants the facility and has tested this patch as I have without
+#   adverse effects.
+#   
+#   The oops protection is still important. Some users really did
+#   try and use dio transfers from the sg driver to memory mapped
+#   IO space (on a video capture card if my memory serves) during the
+#   lk 2.4 series. I'm not sure how successful it was but that will
+#   now be politely refused in lk 2.6.13+ .
+#   
+#   Changelog:
+#      - set the page flags for sg's reserved buffer mmap-ed
+#        to the user space to VM_RESERVED (rather than
+#        VM_RESERVED | VM_IO )
+#   
+#   Signed-off-by: Douglas Gilbert <dougg at torque.net>
+#   Signed-off-by: James Bottomley <James.Bottomley at SteelEye.com>
+#   
+#   GIT: 1c8e71d72026ed4c6ba0fdfd7eebd865f4fd1415
+# 
+# drivers/scsi/sg.c
+#   2005/09/09 16:37:05-05:00 dougg at torque.net +2 -2
+# 
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+ * Dropped the sg_version_date update

More information about the Kernel-svn-changes mailing list