[kernel] r16540 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Nov 10 05:07:47 UTC 2010
Author: dannf
Date: Wed Nov 10 05:07:30 2010
New Revision: 16540
Log:
sys_semctl: fix kernel stack leakage (CVE-2010-4083)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Nov 10 01:21:34 2010 (r16539)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Nov 10 05:07:30 2010 (r16540)
@@ -12,6 +12,7 @@
* sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
* setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
* X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)
+ * sys_semctl: fix kernel stack leakage (CVE-2010-4083)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch Wed Nov 10 05:07:30 2010 (r16540)
@@ -0,0 +1,39 @@
+commit a1a719748020a3287b37cc9e8e1e85b7241da532
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Thu Sep 30 15:15:31 2010 -0700
+
+ sys_semctl: fix kernel stack leakage
+
+ The semctl syscall has several code paths that lead to the leakage of
+ uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
+ IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
+ version of the semid_ds struct.
+
+ The copy_semid_to_user() function declares a semid_ds struct on the stack
+ and copies it back to the user without initializing or zeroing the
+ "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
+ allowing the leakage of 16 bytes of kernel stack memory.
+
+ The code is still reachable on 32-bit systems - when calling semctl()
+ newer glibc's automatically OR the IPC command with the IPC_64 flag, but
+ invoking the syscall directly allows users to use the older versions of
+ the struct.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: Manfred Spraul <manfred at colorfullife.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 80e4575..3fe877f 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -571,6 +571,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in,
+ {
+ struct semid_ds out;
+
++ memset(&out, 0, sizeof(out));
++
+ ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
+
+ out.sem_otime = in->sem_otime;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Wed Nov 10 01:21:34 2010 (r16539)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Wed Nov 10 05:07:30 2010 (r16540)
@@ -11,3 +11,4 @@
+ bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
+ bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
+ bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
++ bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
More information about the Kernel-svn-changes
mailing list