[kernel] r17555 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Wed Jun 1 05:34:23 UTC 2011

Author: dannf
Date: Wed Jun  1 05:34:22 2011
New Revision: 17555

Log:
serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Tue May 31 00:47:12 2011	(r17554)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Jun  1 05:34:22 2011	(r17555)
@@ -27,10 +27,12 @@
   * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
   * proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
   * cifs: Fix cache stuffing issue in the dns_resolver keyring (CVE-2010-2524)
+  * serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
 
+
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 
 linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch	Wed Jun  1 05:34:22 2011	(r17555)
@@ -0,0 +1,42 @@
+From: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Mon, 29 Nov 2010 20:42:27 -0500
+Subject: [serial] serial_core: clean data before filling it
+Message-id: <4CF41033.7040103 at redhat.com>
+Patchwork-id: 29669
+O-Subject: [PATCH RHEL5.6] CVE-2010-4075 (BZ#648701): clean data before filling
+	it
+Bugzilla: 648701
+CVE: CVE-2010-4075
+RH-Acked-by: Jarod Wilson <jarod at redhat.com>
+RH-Acked-by: Prarit Bhargava <prarit at redhat.com>
+
+Backport proposed patch for 2.6.35:
+
+http://www.openwall.com/lists/oss-security/2010/10/06/6
+http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03388.html
+
+Upstream patch is more complex and breaks kABI.
+
+>From the proposed patch, from Dan Rosenberg:
+
+The TIOCGICOUNT device ioctl allows unprivileged users to read
+uninitialized stack memory, because the "reserved" member of the
+serial_icounter_struct struct declared on the stack is not altered or
+zeroed before being copied back to the user. This patch takes care of
+it.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Jarod Wilson <jarod at redhat.com>
+
+diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
+index b80c760..69c6544 100644
+--- a/drivers/serial/serial_core.c
++++ b/drivers/serial/serial_core.c
+@@ -1046,6 +1046,7 @@ static int uart_get_count(struct uart_state *state,
+ 	struct uart_icount cnow;
+ 	struct uart_port *port = state->port;
+ 
++	memset(&icount, 0, sizeof(struct serial_icounter_struct));
+ 	spin_lock_irq(&port->lock);
+ 	memcpy(&cnow, &port->icount, sizeof(struct uart_icount));
+ 	spin_unlock_irq(&port->lock);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Tue May 31 00:47:12 2011	(r17554)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Wed Jun  1 05:34:22 2011	(r17555)
@@ -25,3 +25,4 @@
 + bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
 + bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
 + bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
++ bugfix/all/serial_core-clean-data-before-filling-it.patch

