[kernel] r12293 - in dists/sid/linux-2.6/debian: . patches/bugfix/s390 patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 9 07:36:50 UTC 2008
Author: dannf
Date: Thu Oct 9 07:36:49 2008
New Revision: 12293
Log:
[S390] prevent ptrace padding area read/write in 31-bit mode (CVE-2008-1514)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/s390/
dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/8
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 9 07:36:49 2008
@@ -11,8 +11,9 @@
[ dann frazier ]
* [ata] Fix off-by-one-error that causes errors when reading a
block on the LBA28-LBA48 boundary
+ * [S390] prevent ptrace padding area read/write in 31-bit mode (CVE-2008-1514)
- -- dann frazier <dannf at debian.org> Thu, 09 Oct 2008 00:32:29 -0600
+ -- dann frazier <dannf at debian.org> Thu, 09 Oct 2008 01:27:39 -0600
linux-2.6 (2.6.26-7) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch Thu Oct 9 07:36:49 2008
@@ -0,0 +1,113 @@
+From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001
+From: Jarod Wilson <jwilson at redhat.com>
+Date: Tue, 9 Sep 2008 12:38:56 +0200
+Subject: S390: CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+
+From: Jarod Wilson <jwilson at redhat.com>
+
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797 upstream
+
+When running a 31-bit ptrace, on either an s390 or s390x kernel,
+reads and writes into a padding area in struct user_regs_struct32
+will result in a kernel panic.
+
+This is also known as CVE-2008-1514.
+
+Test case available here:
+http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+
+Steps to reproduce:
+1) wget the above
+2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+3) ./user-area-padding-31bit
+<panic>
+
+Test status
+-----------
+Without patch, both s390 and s390x kernels panic. With patch, the test case,
+as well as the gdb testsuite, pass without incident, padding area reads
+returning zero, writes ignored.
+
+Nb: original version returned -EINVAL on write attempts, which broke the
+gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+the change to return 0 on write attempts.
+
+Signed-off-by: Jarod Wilson <jarod at redhat.com>
+Tested-by: Jan Kratochvil <jan.kratochvil at redhat.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Moritz Muehlenhoff <jmm at debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/s390/kernel/compat_ptrace.h | 1 +
+ arch/s390/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+--- a/arch/s390/kernel/compat_ptrace.h
++++ b/arch/s390/kernel/compat_ptrace.h
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ u32 gprs[NUM_GPRS];
+ u32 acrs[NUM_ACRS];
+ u32 orig_gpr2;
++ /* nb: there's a 4-byte hole here */
+ s390_fp_regs fp_regs;
+ /*
+ * These per registers are in here so that gdb can modify them
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -177,6 +177,13 @@ peek_user(struct task_struct *child, add
+ */
+ tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -268,6 +275,13 @@ poke_user(struct task_struct *child, add
+ */
+ task_pt_regs(child)->orig_gpr2 = data;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent writes of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -409,6 +423,13 @@ peek_user_emu31(struct task_struct *chil
+ */
+ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -488,6 +509,13 @@ poke_user_emu31(struct task_struct *chil
+ */
+ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent writess of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
Modified: dists/sid/linux-2.6/debian/patches/series/8
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/8 (original)
+++ dists/sid/linux-2.6/debian/patches/series/8 Thu Oct 9 07:36:49 2008
@@ -3,3 +3,4 @@
+ bugfix/all/security-keys-init-user-keyring.patch
+ bugfix/x86/nonpnp-rtc-device.patch
+ bugfix/all/libata-LBA28-LBA48-off-by-one.patch
++ bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
More information about the Kernel-svn-changes
mailing list