[kernel] r16163 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Aug 18 23:45:49 UTC 2010 

Author: dannf
Date: Wed Aug 18 23:45:47 2010
New Revision: 16163

Log:
drm: stop information leak of old kernel stack (CVE-2010-2803)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Aug 18 23:19:22 2010	(r16162)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Aug 18 23:45:47 2010	(r16163)
@@ -10,6 +10,7 @@
   * can: add limit for nframes and clean up signed/unsigned variables
     (CVE-REQUESTED)
   * mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
+  * drm: stop information leak of old kernel stack (CVE-2010-2803)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch	Wed Aug 18 23:45:47 2010	(r16163)
@@ -0,0 +1,30 @@
+non-critical issue, CVE-2010-2803
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees at ubuntu.com>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/drm/drm_drv.c b/drivers/char/drm/drm_drv.c
+index 5641387..87ba428 100644
+--- a/drivers/char/drm/drm_drv.c
++++ b/drivers/char/drm/drm_drv.c
+@@ -504,7 +504,9 @@ int drm_ioctl(struct inode *inode, struct file *filp,
+ 				retcode = -EFAULT;
+ 				goto err_i1;
+ 			}
+-		}
++		} else
++			memset(kdata, 0, _IOC_SIZE(cmd));
++
+ 		retcode = func(dev, kdata, file_priv);
+ 
+ 		if ((retcode == 0) && (cmd & IOC_OUT)) {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 23:19:22 2010	(r16162)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 23:45:47 2010	(r16163)
@@ -12,3 +12,4 @@
 + bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
 + bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
 + bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
++ bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch

More information about the Kernel-svn-changes mailing list