[kernel] r14138 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 19 04:32:20 UTC 2009
Author: dannf
Date: Wed Aug 19 04:32:18 2009
New Revision: 14138
Log:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
- copied unchanged from r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
- copied unchanged from r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/19
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Wed Aug 19 04:28:24 2009 (r14137)
+++ dists/lenny/linux-2.6/debian/changelog Wed Aug 19 04:32:18 2009 (r14138)
@@ -7,6 +7,7 @@
[ dann frazier ]
* aacraid: Fix regression w/ bigmem kernel (Closes: #537771)
* [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
+ * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
-- Moritz Muehlenhoff <jmm at debian.org> Wed, 05 Aug 2009 22:18:12 +0200
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch (from r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch Wed Aug 19 04:32:18 2009 (r14138, copy of r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
@@ -0,0 +1,61 @@
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 10:34:56 2009 -0700
+
+ do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+
+ Ulrich Drepper correctly points out that there is generally padding in
+ the structure on 64-bit hosts, and that copying the structure from
+ kernel to user space can leak information from the kernel stack in those
+ padding bytes.
+
+ Avoid the whole issue by just copying the three members one by one
+ instead, which also means that the function also can avoid the need for
+ a stack frame. This also happens to match how we copy the new structure
+ from user space, so it all even makes sense.
+
+ [ The obvious solution of adding a memset() generates horrid code, gcc
+ does really stupid things. ]
+
+ Reported-by: Ulrich Drepper <drepper at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:03:20.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
+@@ -2414,11 +2414,9 @@ do_sigaltstack (const stack_t __user *us
+ stack_t oss;
+ int error;
+
+- if (uoss) {
+- oss.ss_sp = (void __user *) current->sas_ss_sp;
+- oss.ss_size = current->sas_ss_size;
+- oss.ss_flags = sas_ss_flags(sp);
+- }
++ oss.ss_sp = (void __user *) current->sas_ss_sp;
++ oss.ss_size = current->sas_ss_size;
++ oss.ss_flags = sas_ss_flags(sp);
+
+ if (uss) {
+ void __user *ss_sp;
+@@ -2461,13 +2459,16 @@ do_sigaltstack (const stack_t __user *us
+ current->sas_ss_size = ss_size;
+ }
+
++ error = 0;
+ if (uoss) {
+ error = -EFAULT;
+- if (copy_to_user(uoss, &oss, sizeof(oss)))
++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ goto out;
++ error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++ __put_user(oss.ss_size, &uoss->ss_size) |
++ __put_user(oss.ss_flags, &uoss->ss_flags);
+ }
+
+- error = 0;
+ out:
+ return error;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch (from r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch Wed Aug 19 04:32:18 2009 (r14138, copy of r14136, dists/sid/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-small-cleanups.patch)
@@ -0,0 +1,35 @@
+commit 0dd8486b5cfe8048e0613334659d9252ecd1b08a
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 1 11:18:56 2009 -0700
+
+ do_sigaltstack: small cleanups
+
+ The previous commit ("do_sigaltstack: avoid copying 'stack_t' as a
+ structure to user space") fixed a real bug. This one just cleans up the
+ copy from user space to that gcc can generate better code for it (and so
+ that it looks the same as the later copy back to user space).
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c 2009-08-14 18:04:08.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c 2009-08-14 18:05:13.000000000 -0600
+@@ -2424,10 +2424,12 @@ do_sigaltstack (const stack_t __user *us
+ int ss_flags;
+
+ error = -EFAULT;
+- if (!access_ok(VERIFY_READ, uss, sizeof(*uss))
+- || __get_user(ss_sp, &uss->ss_sp)
+- || __get_user(ss_flags, &uss->ss_flags)
+- || __get_user(ss_size, &uss->ss_size))
++ if (!access_ok(VERIFY_READ, uss, sizeof(*uss)))
++ goto out;
++ error = __get_user(ss_sp, &uss->ss_sp) |
++ __get_user(ss_flags, &uss->ss_flags) |
++ __get_user(ss_size, &uss->ss_size);
++ if (error)
+ goto out;
+
+ error = -EPERM;
Modified: dists/lenny/linux-2.6/debian/patches/series/19
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/19 Wed Aug 19 04:28:24 2009 (r14137)
+++ dists/lenny/linux-2.6/debian/patches/series/19 Wed Aug 19 04:32:18 2009 (r14138)
@@ -1,3 +1,5 @@
+ bugfix/all/input-alps-support-toshiba-satellite-pro-m10.patch
+ bugfix/all/aacraid-driver-update.patch
+ bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch
++ bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
++ bugfix/all/do_sigaltstack-small-cleanups.patch
More information about the Kernel-svn-changes
mailing list