[kernel] r9386 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Aug 28 04:34:33 UTC 2007 

Author: dannf
Date: Tue Aug 28 04:34:33 2007
New Revision: 9386

Log:
* bugfix/cpuset_tasks-underflow.patch
  [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
  local attackers to read sensitive kernel memory if the cpuset filesystem
  is mounted.
  See CVE-2007-2875

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Aug 28 04:34:33 2007
@@ -4,8 +4,13 @@
     [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
     and check for out of bounds condition in index provided by userspace
     See CVE-2007-2172
+  * bugfix/cpuset_tasks-underflow.patch
+    [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+    local attackers to read sensitive kernel memory if the cpuset filesystem
+    is mounted.
+    See CVE-2007-2875
 
- -- dann frazier <dannf at debian.org>  Mon, 27 Aug 2007 22:16:19 -0600
+ -- dann frazier <dannf at debian.org>  Mon, 27 Aug 2007 22:32:44 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/cpuset_tasks-underflow.patch	Tue Aug 28 04:34:33 2007
@@ -0,0 +1,61 @@
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
+Subject: use simple_read_from_buffer in kernel/
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
+
+use simple_read_from_buffer in kernel/
+
+Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
+/proc/config.gz.
+
+Cc: Paul Jackson <pj at sgi.com>
+Cc: Randy Dunlap <rdunlap at xenotime.net>
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c
+--- linux-source-2.6.18.orig/kernel/configs.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/configs.c	2007-08-27 22:30:10.774211736 -0600
+@@ -61,18 +61,9 @@ static ssize_t
+ ikconfig_read_current(struct file *file, char __user *buf,
+ 		      size_t len, loff_t * offset)
+ {
+-	loff_t pos = *offset;
+-	ssize_t count;
+-
+-	if (pos >= kernel_config_data_size)
+-		return 0;
+-
+-	count = min(len, (size_t)(kernel_config_data_size - pos));
+-	if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
+-		return -EFAULT;
+-
+-	*offset += count;
+-	return count;
++	return simple_read_from_buffer(buf, len, offset,
++				       kernel_config_data + MAGIC_SIZE,
++				       kernel_config_data_size);
+ }
+ 
+ static struct file_operations ikconfig_file_ops = {
+diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c
+--- linux-source-2.6.18.orig/kernel/cpuset.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/cpuset.c	2007-08-27 22:30:10.778211823 -0600
+@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct 
+ {
+ 	struct ctr_struct *ctr = file->private_data;
+ 
+-	if (*ppos + nbytes > ctr->bufsz)
+-		nbytes = ctr->bufsz - *ppos;
+-	if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+-		return -EFAULT;
+-	*ppos += nbytes;
+-	return nbytes;
++	return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+ 
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch2	Tue Aug 28 04:34:33 2007
@@ -1 +1,2 @@
 + bugfix/ipv4-fib_props-out-of-bounds.patch
++ bugfix/cpuset_tasks-underflow.patch

More information about the Kernel-svn-changes mailing list