[kernel] r16540 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Nov 10 05:07:30 2010
New Revision: 16540

Log:
sys_semctl: fix kernel stack leakage (CVE-2010-4083)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Nov 10 01:21:34 2010	(r16539)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Nov 10 05:07:30 2010	(r16540)
@@ -12,6 +12,7 @@
   * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
   * setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
   * X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)
+  * sys_semctl: fix kernel stack leakage (CVE-2010-4083)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch	Wed Nov 10 05:07:30 2010	(r16540)
@@ -0,0 +1,39 @@
+commit a1a719748020a3287b37cc9e8e1e85b7241da532
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Thu Sep 30 15:15:31 2010 -0700
+
+    sys_semctl: fix kernel stack leakage
+    
+    The semctl syscall has several code paths that lead to the leakage of
+    uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
+    IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
+    version of the semid_ds struct.
+    
+    The copy_semid_to_user() function declares a semid_ds struct on the stack
+    and copies it back to the user without initializing or zeroing the
+    "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
+    allowing the leakage of 16 bytes of kernel stack memory.
+    
+    The code is still reachable on 32-bit systems - when calling semctl()
+    newer glibc's automatically OR the IPC command with the IPC_64 flag, but
+    invoking the syscall directly allows users to use the older versions of
+    the struct.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Cc: Manfred Spraul <manfred at colorfullife.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 80e4575..3fe877f 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -571,6 +571,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in,
+ 	    {
+ 		struct semid_ds out;
+ 
++		memset(&out, 0, sizeof(out));
++
+ 		ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
+ 
+ 		out.sem_otime	= in->sem_otime;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Wed Nov 10 01:21:34 2010	(r16539)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Wed Nov 10 05:07:30 2010	(r16540)
@@ -11,3 +11,4 @@
 + bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
 + bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
 + bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
++ bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch