[kernel] r9547 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Sep 26 00:40:08 UTC 2007
Author: dannf
Date: Wed Sep 26 00:40:07 2007
New Revision: 9547
Log:
* bugfix/proc-snd-page-alloc-mem-leak.patch
[SECURITY] Fix an issue in the alsa subsystem that allows a local user
to read potentially sensitive kernel memory from the proc filesystem
See CVE-2007-4571
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Sep 26 00:40:07 2007
@@ -19,8 +19,12 @@
* bugfix/jffs2-ACL-vs-mode-handling.patch
[SECURITY] Write correct legacy modes to the medium on inode creation to
prevent incorrect permissions upon remount.
+ * bugfix/proc-snd-page-alloc-mem-leak.patch
+ [SECURITY] Fix an issue in the alsa subsystem that allows a local user
+ to read potentially sensitive kernel memory from the proc filesystem
+ See CVE-2007-4571
- -- dann frazier <dannf at debian.org> Tue, 25 Sep 2007 00:19:49 -0600
+ -- dann frazier <dannf at debian.org> Tue, 25 Sep 2007 18:35:25 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch Wed Sep 26 00:40:07 2007
@@ -0,0 +1,169 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Mon, 17 Sep 2007 19:55:10 +0000 (+0200)
+Subject: Convert snd-page-alloc proc file to use seq_file
+X-Git-Tag: v2.6.23-rc8~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ccec6e2c4a74adf76ed4e2478091a311b1806212;hp=7bae705ef2c2daac1993de03e5be93b5c300fc5e
+
+Convert snd-page-alloc proc file to use seq_file
+
+Use seq_file for the proc file read/write of snd-page-alloc module.
+This automatically fixes bugs in the old proc code.
+
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/sound/core/memalloc.c linux-source-2.6.18/sound/core/memalloc.c
+--- linux-source-2.6.18.orig/sound/core/memalloc.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/sound/core/memalloc.c 2007-09-25 17:53:01.000000000 -0600
+@@ -27,6 +27,7 @@
+ #include <linux/pci.h>
+ #include <linux/slab.h>
+ #include <linux/mm.h>
++#include <linux/seq_file.h>
+ #include <asm/uaccess.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/moduleparam.h>
+@@ -483,10 +484,8 @@ static void free_all_reserved_pages(void
+ #define SND_MEM_PROC_FILE "driver/snd-page-alloc"
+ static struct proc_dir_entry *snd_mem_proc;
+
+-static int snd_mem_proc_read(char *page, char **start, off_t off,
+- int count, int *eof, void *data)
++static int snd_mem_proc_read(struct seq_file *seq, void *offset)
+ {
+- int len = 0;
+ long pages = snd_allocated_pages >> (PAGE_SHIFT-12);
+ struct list_head *p;
+ struct snd_mem_list *mem;
+@@ -494,44 +493,47 @@ static int snd_mem_proc_read(char *page,
+ static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" };
+
+ mutex_lock(&list_mutex);
+- len += snprintf(page + len, count - len,
+- "pages : %li bytes (%li pages per %likB)\n",
+- pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
++ seq_printf(seq, "pages : %li bytes (%li pages per %likB)\n",
++ pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
+ devno = 0;
+ list_for_each(p, &mem_list_head) {
+ mem = list_entry(p, struct snd_mem_list, list);
+ devno++;
+- len += snprintf(page + len, count - len,
+- "buffer %d : ID %08x : type %s\n",
+- devno, mem->id, types[mem->buffer.dev.type]);
+- len += snprintf(page + len, count - len,
+- " addr = 0x%lx, size = %d bytes\n",
+- (unsigned long)mem->buffer.addr, (int)mem->buffer.bytes);
++ seq_printf(seq, "buffer %d : ID %08x : type %s\n",
++ devno, mem->id, types[mem->buffer.dev.type]);
++ seq_printf(seq, " addr = 0x%lx, size = %d bytes\n",
++ (unsigned long)mem->buffer.addr,
++ (int)mem->buffer.bytes);
+ }
+ mutex_unlock(&list_mutex);
+- return len;
++ return 0;
++}
++
++static int snd_mem_proc_open(struct inode *inode, struct file *file)
++{
++ return single_open(file, snd_mem_proc_read, NULL);
+ }
+
+ /* FIXME: for pci only - other bus? */
+ #ifdef CONFIG_PCI
+ #define gettoken(bufp) strsep(bufp, " \t\n")
+
+-static int snd_mem_proc_write(struct file *file, const char __user *buffer,
+- unsigned long count, void *data)
++static ssize_t snd_mem_proc_write(struct file *file, const char __user * buffer,
++ size_t count, loff_t * ppos)
+ {
+ char buf[128];
+ char *token, *p;
+
+- if (count > ARRAY_SIZE(buf) - 1)
+- count = ARRAY_SIZE(buf) - 1;
++ if (count > sizeof(buf) - 1)
++ return -EINVAL;
+ if (copy_from_user(buf, buffer, count))
+ return -EFAULT;
+- buf[ARRAY_SIZE(buf) - 1] = '\0';
++ buf[count] = '\0';
+
+ p = buf;
+ token = gettoken(&p);
+ if (! token || *token == '#')
+- return (int)count;
++ return count;
+ if (strcmp(token, "add") == 0) {
+ char *endp;
+ int vendor, device, size, buffers;
+@@ -552,7 +554,7 @@ static int snd_mem_proc_write(struct fil
+ (buffers = simple_strtol(token, NULL, 0)) <= 0 ||
+ buffers > 4) {
+ printk(KERN_ERR "snd-page-alloc: invalid proc write format\n");
+- return (int)count;
++ return count;
+ }
+ vendor &= 0xffff;
+ device &= 0xffff;
+@@ -564,7 +566,7 @@ static int snd_mem_proc_write(struct fil
+ if (pci_set_dma_mask(pci, mask) < 0 ||
+ pci_set_consistent_dma_mask(pci, mask) < 0) {
+ printk(KERN_ERR "snd-page-alloc: cannot set DMA mask %lx for pci %04x:%04x\n", mask, vendor, device);
+- return (int)count;
++ return count;
+ }
+ }
+ for (i = 0; i < buffers; i++) {
+@@ -574,7 +576,7 @@ static int snd_mem_proc_write(struct fil
+ size, &dmab) < 0) {
+ printk(KERN_ERR "snd-page-alloc: cannot allocate buffer pages (size = %d)\n", size);
+ pci_dev_put(pci);
+- return (int)count;
++ return count;
+ }
+ snd_dma_reserve_buf(&dmab, snd_dma_pci_buf_id(pci));
+ }
+@@ -600,9 +602,21 @@ static int snd_mem_proc_write(struct fil
+ free_all_reserved_pages();
+ else
+ printk(KERN_ERR "snd-page-alloc: invalid proc cmd\n");
+- return (int)count;
++ return count;
+ }
+ #endif /* CONFIG_PCI */
++
++static const struct file_operations snd_mem_proc_fops = {
++ .owner = THIS_MODULE,
++ .open = snd_mem_proc_open,
++ .read = seq_read,
++#ifdef CONFIG_PCI
++ .write = snd_mem_proc_write,
++#endif
++ .llseek = seq_lseek,
++ .release = single_release,
++};
++
+ #endif /* CONFIG_PROC_FS */
+
+ /*
+@@ -613,12 +627,8 @@ static int __init snd_mem_init(void)
+ {
+ #ifdef CONFIG_PROC_FS
+ snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL);
+- if (snd_mem_proc) {
+- snd_mem_proc->read_proc = snd_mem_proc_read;
+-#ifdef CONFIG_PCI
+- snd_mem_proc->write_proc = snd_mem_proc_write;
+-#endif
+- }
++ if (snd_mem_proc)
++ snd_mem_proc->proc_fops = &snd_mem_proc_fops;
+ #endif
+ return 0;
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch3 Wed Sep 26 00:40:07 2007
@@ -4,3 +4,4 @@
+ bugfix/cifs-honor-umask.patch
+ bugfix/amd64-zero-extend-32bit-ptrace.patch
+ bugfix/jffs2-ACL-vs-mode-handling.patch
++ bugfix/proc-snd-page-alloc-mem-leak.patch
More information about the Kernel-svn-changes
mailing list