[kernel] r12294 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Thu Oct 9 07:38:16 UTC 2008 

Author: dannf
Date: Thu Oct  9 07:38:15 2008
New Revision: 12294

Log:
bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
[S390] prevent ptrace padding area read/write in 31-bit mode
See CVE-2008-1514

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Oct  9 07:38:15 2008
@@ -18,8 +18,11 @@
   * bugfix/remove-SUID-when-splicing-into-an-inode.patch
     Remove SUID when splicing into an inode
     See CVE-2008-3833
+  * bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
+    [S390] prevent ptrace padding area read/write in 31-bit mode
+    See CVE-2008-1514
 
- -- dann frazier <dannf at debian.org>  Fri, 03 Oct 2008 17:22:53 -0600
+ -- dann frazier <dannf at debian.org>  Thu, 09 Oct 2008 01:36:11 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch	Thu Oct  9 07:38:15 2008
@@ -0,0 +1,107 @@
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797
+Author: Jarod Wilson <jwilson at redhat.com>
+Date:   Tue Sep 9 12:38:56 2008 +0200
+
+    [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+    
+    When running a 31-bit ptrace, on either an s390 or s390x kernel,
+    reads and writes into a padding area in struct user_regs_struct32
+    will result in a kernel panic.
+    
+    This is also known as CVE-2008-1514.
+    
+    Test case available here:
+    http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+    
+    Steps to reproduce:
+    1) wget the above
+    2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+    3) ./user-area-padding-31bit
+    <panic>
+    
+    Test status
+    -----------
+    Without patch, both s390 and s390x kernels panic. With patch, the test case,
+    as well as the gdb testsuite, pass without incident, padding area reads
+    returning zero, writes ignored.
+    
+    Nb: original version returned -EINVAL on write attempts, which broke the
+    gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+    the change to return 0 on write attempts.
+    
+    Signed-off-by: Jarod Wilson <jarod at redhat.com>
+    Tested-by: Jan Kratochvil <jan.kratochvil at redhat.com>
+    Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/s390/kernel/compat_ptrace.h linux-source-2.6.18/arch/s390/kernel/compat_ptrace.h
+--- linux-source-2.6.18.orig/arch/s390/kernel/compat_ptrace.h	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/s390/kernel/compat_ptrace.h	2008-10-07 00:09:14.000000000 -0600
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ 	u32 gprs[NUM_GPRS];
+ 	u32 acrs[NUM_ACRS];
+ 	u32 orig_gpr2;
++	/* nb: there's a 4-byte hole here */
+ 	s390_fp_regs fp_regs;
+ 	/*
+ 	 * These per registers are in here so that gdb can modify them
+diff -urpN linux-source-2.6.18.orig/arch/s390/kernel/ptrace.c linux-source-2.6.18/arch/s390/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/s390/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/s390/kernel/ptrace.c	2008-10-07 00:09:14.000000000 -0600
+@@ -178,6 +178,13 @@ peek_user(struct task_struct *child, add
+ 		 */
+ 		tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+ 
++	} else if (addr < (addr_t) &dummy->regs.fp_regs) {
++		/*
++		 * prevent reads of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		tmp = 0;
++
+ 	} else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ 		/* 
+ 		 * floating point regs. are stored in the thread structure
+@@ -269,6 +276,13 @@ poke_user(struct task_struct *child, add
+ 		 */
+ 		task_pt_regs(child)->orig_gpr2 = data;
+ 
++	} else if (addr < (addr_t) &dummy->regs.fp_regs) {
++		/*
++		 * prevent writes of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		return 0;
++
+ 	} else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure
+@@ -417,6 +431,13 @@ peek_user_emu31(struct task_struct *chil
+ 		 */
+ 		tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+ 
++	} else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++		/*
++		 * prevent reads of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		tmp = 0;
++
+ 	} else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure 
+@@ -496,6 +517,13 @@ poke_user_emu31(struct task_struct *chil
+ 		 */
+ 		*(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+ 
++	} else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++		/*
++		 * prevent writess of padding hole between
++		 * orig_gpr2 and fp_regs on s390.
++		 */
++		return 0;
++
+ 	} else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ 		/*
+ 		 * floating point regs. are stored in the thread structure 

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3	Thu Oct  9 07:38:15 2008
@@ -5,3 +5,4 @@
 + bugfix/open-allows-sgid-in-sgid-directory.patch
 + bugfix/splice-fix-bad-unlock_page-in-error-case.patch
 + bugfix/remove-SUID-when-splicing-into-an-inode.patch
++ bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch

More information about the Kernel-svn-changes mailing list