[kernel] r16584 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Nov 21 01:19:20 UTC 2010 

Author: dannf
Date: Sun Nov 21 01:19:17 2010
New Revision: 16584

Log:
ipc: shm: fix information leak to userland (CVE-2010-4072)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:16:19 2010	(r16583)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:19:17 2010	(r16584)
@@ -29,6 +29,7 @@
   * net: tipc: fix information leak to userland (CVE-2010-3877)
   * inet_diag: Make sure we actually run the same bytecode we audited
     (CVE-2010-3880)
+  * ipc: shm: fix information leak to userland (CVE-2010-4072)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch	Sun Nov 21 01:19:17 2010	(r16584)
@@ -0,0 +1,27 @@
+commit 5204c15eac79d9cfbbcb2cfff36f1d631f7bfef6
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date:   Sat Oct 30 18:22:49 2010 +0400
+
+    ipc: shm: fix information leak to userland
+    
+    The shmid_ds structure is copied to userland with shm_unused{,2,3}
+    fields unitialized.  It leads to leaking of contents of kernel stack
+    memory.
+    
+    Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+    Acked-by: Al Viro <viro at ZenIV.linux.org.uk>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 38b4711..584b344 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -483,6 +483,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_
+ 	    {
+ 		struct shmid_ds out;
+ 
++		memset(&out, 0, sizeof(out));
+ 		ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
+ 		out.shm_segsz	= in->shm_segsz;
+ 		out.shm_atime	= in->shm_atime;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:16:19 2010	(r16583)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:19:17 2010	(r16584)
@@ -23,3 +23,4 @@
 + bugfix/all/can-bcm-fix-minor-heap-overflow.patch
 + bugfix/all/net-tipc-fix-information-leak-to-userland.patch
 + bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
++ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch

More information about the Kernel-svn-changes mailing list