[kernel] r9386 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Aug 28 04:34:33 UTC 2007
Author: dannf
Date: Tue Aug 28 04:34:33 2007
New Revision: 9386
Log:
* bugfix/cpuset_tasks-underflow.patch
[SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
local attackers to read sensitive kernel memory if the cpuset filesystem
is mounted.
See CVE-2007-2875
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch2
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Aug 28 04:34:33 2007
@@ -4,8 +4,13 @@
[SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
and check for out of bounds condition in index provided by userspace
See CVE-2007-2172
+ * bugfix/cpuset_tasks-underflow.patch
+ [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+ local attackers to read sensitive kernel memory if the cpuset filesystem
+ is mounted.
+ See CVE-2007-2875
- -- dann frazier <dannf at debian.org> Mon, 27 Aug 2007 22:16:19 -0600
+ -- dann frazier <dannf at debian.org> Mon, 27 Aug 2007 22:32:44 -0600
linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch Tue Aug 28 04:34:33 2007
@@ -0,0 +1,61 @@
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
+Subject: use simple_read_from_buffer in kernel/
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
+
+use simple_read_from_buffer in kernel/
+
+Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
+/proc/config.gz.
+
+Cc: Paul Jackson <pj at sgi.com>
+Cc: Randy Dunlap <rdunlap at xenotime.net>
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c
+--- linux-source-2.6.18.orig/kernel/configs.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/configs.c 2007-08-27 22:30:10.774211736 -0600
+@@ -61,18 +61,9 @@ static ssize_t
+ ikconfig_read_current(struct file *file, char __user *buf,
+ size_t len, loff_t * offset)
+ {
+- loff_t pos = *offset;
+- ssize_t count;
+-
+- if (pos >= kernel_config_data_size)
+- return 0;
+-
+- count = min(len, (size_t)(kernel_config_data_size - pos));
+- if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
+- return -EFAULT;
+-
+- *offset += count;
+- return count;
++ return simple_read_from_buffer(buf, len, offset,
++ kernel_config_data + MAGIC_SIZE,
++ kernel_config_data_size);
+ }
+
+ static struct file_operations ikconfig_file_ops = {
+diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c
+--- linux-source-2.6.18.orig/kernel/cpuset.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/cpuset.c 2007-08-27 22:30:10.778211823 -0600
+@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct
+ {
+ struct ctr_struct *ctr = file->private_data;
+
+- if (*ppos + nbytes > ctr->bufsz)
+- nbytes = ctr->bufsz - *ppos;
+- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+- return -EFAULT;
+- *ppos += nbytes;
+- return nbytes;
++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch2 Tue Aug 28 04:34:33 2007
@@ -1 +1,2 @@
+ bugfix/ipv4-fib_props-out-of-bounds.patch
++ bugfix/cpuset_tasks-underflow.patch
More information about the Kernel-svn-changes
mailing list