[kernel] r12293 - in dists/sid/linux-2.6/debian: . patches/bugfix/s390 patches/series

Dann Frazier dannf at alioth.debian.org
Thu Oct 9 07:36:50 UTC 2008 

Author: dannf
Date: Thu Oct  9 07:36:49 2008
New Revision: 12293

Log:
[S390] prevent ptrace padding area read/write in 31-bit mode (CVE-2008-1514)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/s390/
   dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/8

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct  9 07:36:49 2008
@@ -11,8 +11,9 @@
   [ dann frazier ]
   * [ata] Fix off-by-one-error that causes errors when reading a
     block on the LBA28-LBA48 boundary
+  * [S390] prevent ptrace padding area read/write in 31-bit mode (CVE-2008-1514)
 
- -- dann frazier <dannf at debian.org>  Thu, 09 Oct 2008 00:32:29 -0600
+ -- dann frazier <dannf at debian.org>  Thu, 09 Oct 2008 01:27:39 -0600
 
 linux-2.6 (2.6.26-7) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch	Thu Oct  9 07:36:49 2008
@@ -0,0 +1,113 @@
+From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001
+From: Jarod Wilson <jwilson at redhat.com>
+Date: Tue, 9 Sep 2008 12:38:56 +0200
+Subject: S390: CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+
+From: Jarod Wilson <jwilson at redhat.com>
+
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797 upstream
+
+When running a 31-bit ptrace, on either an s390 or s390x kernel,
+reads and writes into a padding area in struct user_regs_struct32
+will result in a kernel panic.
+
+This is also known as CVE-2008-1514.
+
+Test case available here:
+http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+
+Steps to reproduce:
+1) wget the above
+2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+3) ./user-area-padding-31bit
+<panic>
+
+Test status
+-----------
+Without patch, both s390 and s390x kernels panic. With patch, the test case,
+as well as the gdb testsuite, pass without incident, padding area reads
+returning zero, writes ignored.
+
+Nb: original version returned -EINVAL on write attempts, which broke the
+gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+the change to return 0 on write attempts.
+
+Signed-off-by: Jarod Wilson <jarod at redhat.com>
+Tested-by: Jan Kratochvil <jan.kratochvil at redhat.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Moritz Muehlenhoff <jmm at debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/s390/kernel/compat_ptrace.h |    1 +
+ arch/s390/kernel/ptrace.c        |   28 ++++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+--- a/arch/s390/kernel/compat_ptrace.h
++++ b/arch/s390/kernel/compat_ptrace.h
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ 	u32 gprs[NUM_GPRS];
+ 	u32 acrs[NUM_ACRS];
+ 	u32 orig_gpr2;
++	/* nb: there's a 4-byte hole here */
+ 	s390_fp_regs fp_regs;
+ 	/*
+ 	 * These per registers are in here so that gdb can modify them
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -177,6 +177,13 @@ peek_user(struct task_struct *child, add
+ 		 */
+ 		tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+ 
++	} else if (addr < (addr_t) &dummy->regs.fp_regs) {
++		/*
++		 * prevent reads of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		tmp = 0;
++
+ 	} else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ 		/* 
+ 		 * floating point regs. are stored in the thread structure
+@@ -268,6 +275,13 @@ poke_user(struct task_struct *child, add
+ 		 */
+ 		task_pt_regs(child)->orig_gpr2 = data;
+ 
++	} else if (addr < (addr_t) &dummy->regs.fp_regs) {
++		/*
++		 * prevent writes of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		return 0;
++
+ 	} else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure
+@@ -409,6 +423,13 @@ peek_user_emu31(struct task_struct *chil
+ 		 */
+ 		tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+ 
++	} else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++		/*
++		 * prevent reads of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		tmp = 0;
++
+ 	} else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure 
+@@ -488,6 +509,13 @@ poke_user_emu31(struct task_struct *chil
+ 		 */
+ 		*(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+ 
++	} else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++		/*
++		 * prevent writess of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		return 0;
++
+ 	} else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure 

Modified: dists/sid/linux-2.6/debian/patches/series/8
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/8	(original)
+++ dists/sid/linux-2.6/debian/patches/series/8	Thu Oct  9 07:36:49 2008
@@ -3,3 +3,4 @@
 + bugfix/all/security-keys-init-user-keyring.patch
 + bugfix/x86/nonpnp-rtc-device.patch
 + bugfix/all/libata-LBA28-LBA48-off-by-one.patch
++ bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch

More information about the Kernel-svn-changes mailing list