[kernel] r12298 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Oct 10 05:55:38 UTC 2008
Author: dannf
Date: Fri Oct 10 05:55:37 2008
New Revision: 12298
Log:
[s390] prevent ptrace padding area read/write in 31-bit mode
(CVE-2008-1514)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog (original)
+++ dists/etch-security/linux-2.6.24/debian/changelog Fri Oct 10 05:55:37 2008
@@ -1,8 +1,10 @@
linux-2.6.24 (2.6.24-6~etchnhalf.6) UNRELEASED; urgency=high
* Add missing capability checks in sbni_ioctl (CVE-2008-3525)
+ * [s390] prevent ptrace padding area read/write in 31-bit mode
+ (CVE-2008-1514)
- -- dann frazier <dannf at debian.org> Mon, 29 Sep 2008 23:19:18 -0600
+ -- dann frazier <dannf at debian.org> Thu, 09 Oct 2008 23:52:07 -0600
linux-2.6.24 (2.6.24-6~etchnhalf.5) stable-security; urgency=high
Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch Fri Oct 10 05:55:37 2008
@@ -0,0 +1,107 @@
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797
+Author: Jarod Wilson <jwilson at redhat.com>
+Date: Tue Sep 9 12:38:56 2008 +0200
+
+ [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+
+ When running a 31-bit ptrace, on either an s390 or s390x kernel,
+ reads and writes into a padding area in struct user_regs_struct32
+ will result in a kernel panic.
+
+ This is also known as CVE-2008-1514.
+
+ Test case available here:
+ http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+
+ Steps to reproduce:
+ 1) wget the above
+ 2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+ 3) ./user-area-padding-31bit
+ <panic>
+
+ Test status
+ -----------
+ Without patch, both s390 and s390x kernels panic. With patch, the test case,
+ as well as the gdb testsuite, pass without incident, padding area reads
+ returning zero, writes ignored.
+
+ Nb: original version returned -EINVAL on write attempts, which broke the
+ gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+ the change to return 0 on write attempts.
+
+ Signed-off-by: Jarod Wilson <jarod at redhat.com>
+ Tested-by: Jan Kratochvil <jan.kratochvil at redhat.com>
+ Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/arch/s390/kernel/compat_ptrace.h linux-source-2.6.24/arch/s390/kernel/compat_ptrace.h
+--- linux-source-2.6.24.orig/arch/s390/kernel/compat_ptrace.h 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/s390/kernel/compat_ptrace.h 2008-10-09 23:44:17.000000000 -0600
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ u32 gprs[NUM_GPRS];
+ u32 acrs[NUM_ACRS];
+ u32 orig_gpr2;
++ /* nb: there's a 4-byte hole here */
+ s390_fp_regs fp_regs;
+ /*
+ * These per registers are in here so that gdb can modify them
+diff -urpN linux-source-2.6.24.orig/arch/s390/kernel/ptrace.c linux-source-2.6.24/arch/s390/kernel/ptrace.c
+--- linux-source-2.6.24.orig/arch/s390/kernel/ptrace.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/s390/kernel/ptrace.c 2008-10-09 23:44:17.000000000 -0600
+@@ -176,6 +176,13 @@ peek_user(struct task_struct *child, add
+ */
+ tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -267,6 +274,13 @@ poke_user(struct task_struct *child, add
+ */
+ task_pt_regs(child)->orig_gpr2 = data;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent writes of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -409,6 +423,13 @@ peek_user_emu31(struct task_struct *chil
+ */
+ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -488,6 +509,13 @@ poke_user_emu31(struct task_struct *chil
+ */
+ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent writess of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6 (original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6 Fri Oct 10 05:55:37 2008
@@ -1 +1,2 @@
+ bugfix/wan-sbni_ioctl-cap-checks.patch
++ bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
More information about the Kernel-svn-changes
mailing list