[kernel] r16163 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 18 23:45:49 UTC 2010
Author: dannf
Date: Wed Aug 18 23:45:47 2010
New Revision: 16163
Log:
drm: stop information leak of old kernel stack (CVE-2010-2803)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Aug 18 23:19:22 2010 (r16162)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Aug 18 23:45:47 2010 (r16163)
@@ -10,6 +10,7 @@
* can: add limit for nframes and clean up signed/unsigned variables
(CVE-REQUESTED)
* mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
+ * drm: stop information leak of old kernel stack (CVE-2010-2803)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch Wed Aug 18 23:45:47 2010 (r16163)
@@ -0,0 +1,30 @@
+non-critical issue, CVE-2010-2803
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees at ubuntu.com>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/drm/drm_drv.c b/drivers/char/drm/drm_drv.c
+index 5641387..87ba428 100644
+--- a/drivers/char/drm/drm_drv.c
++++ b/drivers/char/drm/drm_drv.c
+@@ -504,7 +504,9 @@ int drm_ioctl(struct inode *inode, struct file *filp,
+ retcode = -EFAULT;
+ goto err_i1;
+ }
+- }
++ } else
++ memset(kdata, 0, _IOC_SIZE(cmd));
++
+ retcode = func(dev, kdata, file_priv);
+
+ if ((retcode == 0) && (cmd & IOC_OUT)) {
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 23:19:22 2010 (r16162)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 23:45:47 2010 (r16163)
@@ -12,3 +12,4 @@
+ bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
+ bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
+ bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
++ bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
More information about the Kernel-svn-changes
mailing list