[kernel] r14111 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Aug 15 00:12:02 UTC 2009
Author: dannf
Date: Sat Aug 15 00:12:00 2009
New Revision: 14111
Log:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/6
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri Aug 14 23:50:51 2009 (r14110)
+++ dists/sid/linux-2.6/debian/changelog Sat Aug 15 00:12:00 2009 (r14111)
@@ -7,6 +7,7 @@
* Make sock_sendpage() use kernel_sendpage() (CVE-2009-2692)
* flat: fix uninitialized ptr with shared libs
* [parisc] isa-eeprom - Fix loff_t usage
+ * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
-- Bastian Blank <waldi at debian.org> Fri, 14 Aug 2009 23:50:45 +0200
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch Sat Aug 15 00:12:00 2009 (r14111)
@@ -0,0 +1,61 @@
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 10:34:56 2009 -0700
+
+ do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+
+ Ulrich Drepper correctly points out that there is generally padding in
+ the structure on 64-bit hosts, and that copying the structure from
+ kernel to user space can leak information from the kernel stack in those
+ padding bytes.
+
+ Avoid the whole issue by just copying the three members one by one
+ instead, which also means that the function also can avoid the need for
+ a stack frame. This also happens to match how we copy the new structure
+ from user space, so it all even makes sense.
+
+ [ The obvious solution of adding a memset() generates horrid code, gcc
+ does really stupid things. ]
+
+ Reported-by: Ulrich Drepper <drepper at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:03:20.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
+@@ -2414,11 +2414,9 @@ do_sigaltstack (const stack_t __user *us
+ stack_t oss;
+ int error;
+
+- if (uoss) {
+- oss.ss_sp = (void __user *) current->sas_ss_sp;
+- oss.ss_size = current->sas_ss_size;
+- oss.ss_flags = sas_ss_flags(sp);
+- }
++ oss.ss_sp = (void __user *) current->sas_ss_sp;
++ oss.ss_size = current->sas_ss_size;
++ oss.ss_flags = sas_ss_flags(sp);
+
+ if (uss) {
+ void __user *ss_sp;
+@@ -2461,13 +2459,16 @@ do_sigaltstack (const stack_t __user *us
+ current->sas_ss_size = ss_size;
+ }
+
++ error = 0;
+ if (uoss) {
+ error = -EFAULT;
+- if (copy_to_user(uoss, &oss, sizeof(oss)))
++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ goto out;
++ error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++ __put_user(oss.ss_size, &uoss->ss_size) |
++ __put_user(oss.ss_flags, &uoss->ss_flags);
+ }
+
+- error = 0;
+ out:
+ return error;
+ }
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch Sat Aug 15 00:12:00 2009 (r14111)
@@ -0,0 +1,35 @@
+commit 0dd8486b5cfe8048e0613334659d9252ecd1b08a
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 11:18:56 2009 -0700
+
+ do_sigaltstack: small cleanups
+
+ The previous commit ("do_sigaltstack: avoid copying 'stack_t' as a
+ structure to user space") fixed a real bug. This one just cleans up the
+ copy from user space to that gcc can generate better code for it (and so
+ that it looks the same as the later copy back to user space).
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:05:13.000000000 -0600
+@@ -2424,10 +2424,12 @@ do_sigaltstack (const stack_t __user *us
+ int ss_flags;
+
+ error = -EFAULT;
+- if (!access_ok(VERIFY_READ, uss, sizeof(*uss))
+- || __get_user(ss_sp, &uss->ss_sp)
+- || __get_user(ss_flags, &uss->ss_flags)
+- || __get_user(ss_size, &uss->ss_size))
++ if (!access_ok(VERIFY_READ, uss, sizeof(*uss)))
++ goto out;
++ error = __get_user(ss_sp, &uss->ss_sp) |
++ __get_user(ss_flags, &uss->ss_flags) |
++ __get_user(ss_size, &uss->ss_size);
++ if (error)
+ goto out;
+
+ error = -EPERM;
Modified: dists/sid/linux-2.6/debian/patches/series/6
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/6 Fri Aug 14 23:50:51 2009 (r14110)
+++ dists/sid/linux-2.6/debian/patches/series/6 Sat Aug 15 00:12:00 2009 (r14111)
@@ -1,3 +1,5 @@
+ bugfix/all/make-sock_sendpage-use-kernel_sendpage.patch
+ bugfix/all/flat-fix-uninitialized-ptr-with-shared-libs.patch
+ bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch
++ bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
++ bugfix/all/do_sigaltstack-small-cleanups.patch
More information about the Kernel-svn-changes
mailing list