[kernel] r13346 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Apr 6 06:20:49 UTC 2009
Author: dannf
Date: Mon Apr 6 06:20:48 2009
New Revision: 13346
Log:
Fix an off-by-two memory error in console selection (CVE-2009-1046)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
- copied unchanged from r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Mon Apr 6 06:18:28 2009 (r13345)
+++ dists/etch-security/linux-2.6.24/debian/changelog Mon Apr 6 06:20:48 2009 (r13346)
@@ -24,6 +24,7 @@
* [amd64] syscall-audit: fix 32/64 syscall hole (CVE-2009-0834)
* shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
This issue does not effect pre-build Debian kernels.
+ * Fix an off-by-two memory error in console selection (CVE-2009-1046)
-- dann frazier <dannf at debian.org> Tue, 24 Feb 2009 23:25:36 -0700
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch (from r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch Mon Apr 6 06:20:48 2009 (r13346, copy of r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
@@ -0,0 +1,35 @@
+commit 878b8619f711280fd05845e21956434b5e588cc4
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date: Fri Jan 30 15:27:14 2009 -0500
+
+ Fix memory corruption in console selection
+
+ Fix an off-by-two memory error in console selection.
+
+ The loop below goes from sel_start to sel_end (inclusive), so it writes
+ one more character. This one more character was added to the allocated
+ size (+1), but it was not multiplied by an UTF-8 multiplier.
+
+ This patch fixes a memory corruption when UTF-8 console is used and the
+ user selects a few characters, all of them 3-byte in UTF-8 (for example
+ a frame line).
+
+ When memory redzones are enabled, a redzone corruption is reported.
+ When they are not enabled, trashing of random memory occurs.
+
+ Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/selection.c b/drivers/char/selection.c
+index f29fbe9..cb8ca56 100644
+--- a/drivers/char/selection.c
++++ b/drivers/char/selection.c
+@@ -268,7 +268,7 @@ int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
+
+ /* Allocate a new buffer before freeing the old one ... */
+ multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
+- bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
++ bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
+ if (!bp) {
+ printk(KERN_WARNING "selection: kmalloc() failed\n");
+ clear_selection();
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1 Mon Apr 6 06:18:28 2009 (r13345)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1 Mon Apr 6 06:20:48 2009 (r13346)
@@ -77,3 +77,4 @@
+ bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
+ bugfix/syscall-audit-fix-32+64-syscall-hole.patch
+ bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
++ bugfix/all/fix-off-by-2-error-in-console-selection.patch
More information about the Kernel-svn-changes
mailing list