[kernel] r12294 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 9 07:38:16 UTC 2008
Author: dannf
Date: Thu Oct 9 07:38:15 2008
New Revision: 12294
Log:
bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
[S390] prevent ptrace padding area read/write in 31-bit mode
See CVE-2008-1514
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/22etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Thu Oct 9 07:38:15 2008
@@ -18,8 +18,11 @@
* bugfix/remove-SUID-when-splicing-into-an-inode.patch
Remove SUID when splicing into an inode
See CVE-2008-3833
+ * bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
+ [S390] prevent ptrace padding area read/write in 31-bit mode
+ See CVE-2008-1514
- -- dann frazier <dannf at debian.org> Fri, 03 Oct 2008 17:22:53 -0600
+ -- dann frazier <dannf at debian.org> Thu, 09 Oct 2008 01:36:11 -0600
linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch Thu Oct 9 07:38:15 2008
@@ -0,0 +1,107 @@
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797
+Author: Jarod Wilson <jwilson at redhat.com>
+Date: Tue Sep 9 12:38:56 2008 +0200
+
+ [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+
+ When running a 31-bit ptrace, on either an s390 or s390x kernel,
+ reads and writes into a padding area in struct user_regs_struct32
+ will result in a kernel panic.
+
+ This is also known as CVE-2008-1514.
+
+ Test case available here:
+ http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+
+ Steps to reproduce:
+ 1) wget the above
+ 2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+ 3) ./user-area-padding-31bit
+ <panic>
+
+ Test status
+ -----------
+ Without patch, both s390 and s390x kernels panic. With patch, the test case,
+ as well as the gdb testsuite, pass without incident, padding area reads
+ returning zero, writes ignored.
+
+ Nb: original version returned -EINVAL on write attempts, which broke the
+ gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+ the change to return 0 on write attempts.
+
+ Signed-off-by: Jarod Wilson <jarod at redhat.com>
+ Tested-by: Jan Kratochvil <jan.kratochvil at redhat.com>
+ Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/s390/kernel/compat_ptrace.h linux-source-2.6.18/arch/s390/kernel/compat_ptrace.h
+--- linux-source-2.6.18.orig/arch/s390/kernel/compat_ptrace.h 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/s390/kernel/compat_ptrace.h 2008-10-07 00:09:14.000000000 -0600
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ u32 gprs[NUM_GPRS];
+ u32 acrs[NUM_ACRS];
+ u32 orig_gpr2;
++ /* nb: there's a 4-byte hole here */
+ s390_fp_regs fp_regs;
+ /*
+ * These per registers are in here so that gdb can modify them
+diff -urpN linux-source-2.6.18.orig/arch/s390/kernel/ptrace.c linux-source-2.6.18/arch/s390/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/s390/kernel/ptrace.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/s390/kernel/ptrace.c 2008-10-07 00:09:14.000000000 -0600
+@@ -178,6 +178,13 @@ peek_user(struct task_struct *child, add
+ */
+ tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -269,6 +276,13 @@ poke_user(struct task_struct *child, add
+ */
+ task_pt_regs(child)->orig_gpr2 = data;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent writes of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -417,6 +431,13 @@ peek_user_emu31(struct task_struct *chil
+ */
+ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -496,6 +517,13 @@ poke_user_emu31(struct task_struct *chil
+ */
+ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent writess of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3 Thu Oct 9 07:38:15 2008
@@ -5,3 +5,4 @@
+ bugfix/open-allows-sgid-in-sgid-directory.patch
+ bugfix/splice-fix-bad-unlock_page-in-error-case.patch
+ bugfix/remove-SUID-when-splicing-into-an-inode.patch
++ bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
More information about the Kernel-svn-changes
mailing list