[kernel] r13346 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 6 06:20:49 UTC 2009 

Author: dannf
Date: Mon Apr  6 06:20:48 2009
New Revision: 13346

Log:
Fix an off-by-two memory error in console selection (CVE-2009-1046)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
      - copied unchanged from r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Apr  6 06:18:28 2009	(r13345)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Apr  6 06:20:48 2009	(r13346)
@@ -24,6 +24,7 @@
   * [amd64] syscall-audit: fix 32/64 syscall hole (CVE-2009-0834)
   * shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
     This issue does not effect pre-build Debian kernels.
+  * Fix an off-by-two memory error in console selection (CVE-2009-1046)
 
  -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:25:36 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch (from r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch	Mon Apr  6 06:20:48 2009	(r13346, copy of r13333, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
@@ -0,0 +1,35 @@
+commit 878b8619f711280fd05845e21956434b5e588cc4
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date:   Fri Jan 30 15:27:14 2009 -0500
+
+    Fix memory corruption in console selection
+    
+    Fix an off-by-two memory error in console selection.
+    
+    The loop below goes from sel_start to sel_end (inclusive), so it writes
+    one more character.  This one more character was added to the allocated
+    size (+1), but it was not multiplied by an UTF-8 multiplier.
+    
+    This patch fixes a memory corruption when UTF-8 console is used and the
+    user selects a few characters, all of them 3-byte in UTF-8 (for example
+    a frame line).
+    
+    When memory redzones are enabled, a redzone corruption is reported.
+    When they are not enabled, trashing of random memory occurs.
+    
+    Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/selection.c b/drivers/char/selection.c
+index f29fbe9..cb8ca56 100644
+--- a/drivers/char/selection.c
++++ b/drivers/char/selection.c
+@@ -268,7 +268,7 @@ int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
+ 
+ 	/* Allocate a new buffer before freeing the old one ... */
+ 	multiplier = use_unicode ? 3 : 1;  /* chars can take up to 3 bytes */
+-	bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
++	bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
+ 	if (!bp) {
+ 		printk(KERN_WARNING "selection: kmalloc() failed\n");
+ 		clear_selection();

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Mon Apr  6 06:18:28 2009	(r13345)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Mon Apr  6 06:20:48 2009	(r13346)
@@ -77,3 +77,4 @@
 + bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
 + bugfix/syscall-audit-fix-32+64-syscall-hole.patch
 + bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
++ bugfix/all/fix-off-by-2-error-in-console-selection.patch

More information about the Kernel-svn-changes mailing list