[kernel] r13333 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Apr 4 21:42:18 UTC 2009
Author: dannf
Date: Sat Apr 4 21:42:17 2009
New Revision: 13333
Log:
Fix an off-by-two memory error in console selection (CVE-2009-1046)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog (original)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Apr 4 21:42:17 2009
@@ -8,6 +8,7 @@
* seccomp: fix 32/64 syscall hole (CVE-2009-0835)
* shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
This issue does not effect pre-build Debian kernels.
+ * Fix an off-by-two memory error in console selection (CVE-2009-1046)
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch Sat Apr 4 21:42:17 2009
@@ -0,0 +1,35 @@
+commit 878b8619f711280fd05845e21956434b5e588cc4
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date: Fri Jan 30 15:27:14 2009 -0500
+
+ Fix memory corruption in console selection
+
+ Fix an off-by-two memory error in console selection.
+
+ The loop below goes from sel_start to sel_end (inclusive), so it writes
+ one more character. This one more character was added to the allocated
+ size (+1), but it was not multiplied by an UTF-8 multiplier.
+
+ This patch fixes a memory corruption when UTF-8 console is used and the
+ user selects a few characters, all of them 3-byte in UTF-8 (for example
+ a frame line).
+
+ When memory redzones are enabled, a redzone corruption is reported.
+ When they are not enabled, trashing of random memory occurs.
+
+ Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/selection.c b/drivers/char/selection.c
+index f29fbe9..cb8ca56 100644
+--- a/drivers/char/selection.c
++++ b/drivers/char/selection.c
+@@ -268,7 +268,7 @@ int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
+
+ /* Allocate a new buffer before freeing the old one ... */
+ multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
+- bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
++ bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
+ if (!bp) {
+ printk(KERN_WARNING "selection: kmalloc() failed\n");
+ clear_selection();
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 (original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sat Apr 4 21:42:17 2009
@@ -4,3 +4,4 @@
+ bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch
+ bugfix/all/seccomp-fix-32+64-syscall-hole.patch
+ bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
++ bugfix/all/fix-off-by-2-error-in-console-selection.patch
More information about the Kernel-svn-changes
mailing list