[kernel] r7785 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 13 04:03:16 UTC 2006 

Author: dannf
Date: Mon Nov 13 05:03:16 2006
New Revision: 7785

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* s390-uaccess-memleak.dpatch
  [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
  remaining bytes of the kernel buffer after a fault on the userspace
  address in copy_from_user()
  See CVE-2006-5174

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon Nov 13 05:03:16 2006
@@ -24,8 +24,13 @@
     [SECURITY][ppc] Avoid potential DoS which can be triggered by some
     futex ops
     See CVE-2006-5649
+  * s390-uaccess-memleak.dpatch
+    [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
+    remaining bytes of the kernel buffer after a fault on the userspace
+    address in copy_from_user()
+    See CVE-2006-5174
 
- -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 20:13:06 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 21:02:15 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/s390-uaccess-memleak.dpatch	Mon Nov 13 05:03:16 2006
@@ -0,0 +1,65 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Wed, 18 Oct 2006 10:58:07 +0200
+Subject: No Subject
+Message-Id: <1161161887.29912.8.camel at localhost>
+Mime-Version: 1.0
+Content-Transfer-Encoding: 7bit
+
+[S390] user readable uninitialised kernel memory.
+
+A user space program can read uninitialised kernel memory
+by appending to a file from a bad address and then reading
+the result back. The cause is the copy_from_user function
+that does not clear the remaining bytes of the kernel
+buffer after it got a fault on the user space address.
+
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+---
+ arch/s390/lib/uaccess.S   |   12 +++++++++++-
+ arch/s390/lib/uaccess64.S |   12 +++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess64.S linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S
+--- linux-2.6.18.1/arch/s390/lib/uaccess64.S	2006-10-17 13:26:32.000000000 +0200
++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S	2006-10-17 13:21:20.000000000 +0200
+@@ -40,7 +40,17 @@ __copy_from_user_asm:
+ 	# move with the reduced length which is < 256
+ 5:	mvcp	0(%r5,%r2),0(%r4),%r0
+ 	slgr	%r3,%r5
+-6:	lgr	%r2,%r3
++	algr	%r2,%r5
++6:	lgr	%r5,%r3		# copy remaining size
++	aghi	%r5,-1		# subtract 1 for xc loop
++	bras	%r4,8f
++	xc	0(1,%r2),0(%r2)
++7:	xc	0(256,%r2),0(%r2)
++	la	%r2,256(%r2)
++8:	aghi	%r5,-256
++	jnm	7b
++	ex	%r5,0(%r4)
++9:	lgr	%r2,%r3
+ 	br	%r14
+         .section __ex_table,"a"
+ 	.quad	0b,4b
+diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess.S linux-2.6.18.1-s390/arch/s390/lib/uaccess.S
+--- linux-2.6.18.1/arch/s390/lib/uaccess.S	2006-10-17 13:26:32.000000000 +0200
++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess.S	2006-10-17 13:21:06.000000000 +0200
+@@ -40,7 +40,17 @@ __copy_from_user_asm:
+ 	# move with the reduced length which is < 256
+ 5:	mvcp	0(%r5,%r2),0(%r4),%r0
+ 	slr	%r3,%r5
+-6:	lr	%r2,%r3
++	alr	%r2,%r5
++6:	lr	%r5,%r3		# copy remaining size
++	ahi	%r5,-1		# subtract 1 for xc loop
++	bras	%r4,8f
++	xc	0(1,%r2),0(%r2)
++7:	xc	0(256,%r2),0(%r2)
++	la	%r2,256(%r2)
++8:	ahi	%r5,-256
++	jnm	7b
++	ex	%r5,0(%r4)
++9:	lr	%r2,%r3
+ 	br	%r14
+         .section __ex_table,"a"
+ 	.long	0b,4b

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	Mon Nov 13 05:03:16 2006
@@ -4,3 +4,4 @@
 + atm-clip-freed-skb-deref.dpatch
 + ip6_flowlabel-lockup.dpatch
 + ppc-alignment-exception-table-check.dpatch
++ s390-uaccess-memleak.dpatch

More information about the Kernel-svn-changes mailing list