[kernel] r14480 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Oct 28 05:25:19 UTC 2009 

Author: dannf
Date: Wed Oct 28 05:25:08 2009
New Revision: 14480

Log:
do_sigaltstack: avoid copying 'stack_t' as a structure to user space
(CVE-2009-2847)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
      - copied unchanged from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Wed Oct 28 04:44:05 2009	(r14479)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Wed Oct 28 05:25:08 2009	(r14480)
@@ -1,6 +1,8 @@
 linux-2.6.24 (2.6.24-6~etchnhalf.8etch4) UNRELEASED; urgency=high
 
   * [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
+  * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+    (CVE-2009-2847)
 
  -- dann frazier <dannf at debian.org>  Tue, 27 Oct 2009 22:41:25 -0600
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch (from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch	Wed Oct 28 05:25:08 2009	(r14480, copy of r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch)
@@ -0,0 +1,61 @@
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Sat Aug 1 10:34:56 2009 -0700
+
+    do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+    
+    Ulrich Drepper correctly points out that there is generally padding in
+    the structure on 64-bit hosts, and that copying the structure from
+    kernel to user space can leak information from the kernel stack in those
+    padding bytes.
+    
+    Avoid the whole issue by just copying the three members one by one
+    instead, which also means that the function also can avoid the need for
+    a stack frame.  This also happens to match how we copy the new structure
+    from user space, so it all even makes sense.
+    
+    [ The obvious solution of adding a memset() generates horrid code, gcc
+      does really stupid things. ]
+    
+    Reported-by: Ulrich Drepper <drepper at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.30 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.30.orig/kernel/signal.c linux-source-2.6.30/kernel/signal.c
+--- linux-source-2.6.30.orig/kernel/signal.c	2009-08-14 18:03:20.000000000 -0600
++++ linux-source-2.6.30/kernel/signal.c	2009-08-14 18:04:08.000000000 -0600
+@@ -2414,11 +2414,9 @@ do_sigaltstack (const stack_t __user *us
+ 	stack_t oss;
+ 	int error;
+ 
+-	if (uoss) {
+-		oss.ss_sp = (void __user *) current->sas_ss_sp;
+-		oss.ss_size = current->sas_ss_size;
+-		oss.ss_flags = sas_ss_flags(sp);
+-	}
++	oss.ss_sp = (void __user *) current->sas_ss_sp;
++	oss.ss_size = current->sas_ss_size;
++	oss.ss_flags = sas_ss_flags(sp);
+ 
+ 	if (uss) {
+ 		void __user *ss_sp;
+@@ -2461,13 +2459,16 @@ do_sigaltstack (const stack_t __user *us
+ 		current->sas_ss_size = ss_size;
+ 	}
+ 
++	error = 0;
+ 	if (uoss) {
+ 		error = -EFAULT;
+-		if (copy_to_user(uoss, &oss, sizeof(oss)))
++		if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ 			goto out;
++		error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++			__put_user(oss.ss_size, &uoss->ss_size) |
++			__put_user(oss.ss_flags, &uoss->ss_flags);
+ 	}
+ 
+-	error = 0;
+ out:
+ 	return error;
+ }

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Oct 28 04:44:05 2009	(r14479)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Oct 28 05:25:08 2009	(r14480)
@@ -1 +1,2 @@
 + bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch
++ bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch

More information about the Kernel-svn-changes mailing list