[kernel] r10123 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Jan 16 07:37:12 UTC 2008 

Author: dannf
Date: Wed Jan 16 07:37:12 2008
New Revision: 10123

Log:
* bugfix/do_brk-security-hook.patch
  Add security checks to do_brk() to prevent unprivileged users from
  accessing low memory pages
  See CVE-2007-6434

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/17etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jan 16 07:37:12 2008
@@ -16,8 +16,12 @@
     local user to read potentially sensitive kernel memory from the proc
     filesystem
     See CVE-2007-4571
+  * bugfix/do_brk-security-hook.patch
+    Add security checks to do_brk() to prevent unprivileged users from
+    accessing low memory pages
+    See CVE-2007-6434
 
- -- dann frazier <dannf at debian.org>  Tue, 15 Jan 2008 16:44:15 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 16 Jan 2008 00:31:52 -0700
 
 linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch	Wed Jan 16 07:37:12 2008
@@ -0,0 +1,34 @@
+commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
+Author: Eric Paris <eparis at redhat.com>
+Date:   Tue Dec 4 23:45:31 2007 -0800
+
+    VM/Security: add security hook to do_brk
+    
+    Given a specifically crafted binary do_brk() can be used to get low pages
+    available in userspace virtual memory and can thus be used to circumvent
+    the mmap_min_addr low memory protection.  Add security checks in do_brk().
+    
+    Signed-off-by: Eric Paris <eparis at redhat.com>
+    Acked-by: Alan Cox <alan at redhat.com>
+    Cc: Stephen Smalley <sds at tycho.nsa.gov>
+    Cc: James Morris <jmorris at namei.org>
+    Cc: Chris Wright <chrisw at sous-sol.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/mm/mmap.c linux-source-2.6.18/mm/mmap.c
+--- linux-source-2.6.18.orig/mm/mmap.c	2008-01-15 16:46:27.000000000 -0700
++++ linux-source-2.6.18/mm/mmap.c	2008-01-16 00:28:42.000000000 -0700
+@@ -1883,6 +1883,10 @@ unsigned long do_brk(unsigned long addr,
+ 	if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ 		return -EINVAL;
+ 
++	error = security_file_mmap(0, 0, 0, 0, addr, 1);
++	if (error)
++		return error;
++
+ 	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+ 
+ 	error = arch_mmap_check(addr, len, flags);

Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/17etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/17etch1	Wed Jan 16 07:37:12 2008
@@ -3,3 +3,4 @@
 + bugfix/fat-move-ioctl-compat-code.patch
 + bugfix/fat-fix-compat-ioctls.patch
 + bugfix/proc-snd-page-alloc-mem-leak.patch
++ bugfix/do_brk-security-hook.patch

More information about the Kernel-svn-changes mailing list