[linux] 03/03: [s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jul 2 10:04:40 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit f512e08a16bf39069c81dbb82a4531ddaf855533
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jul 2 12:03:52 2016 +0200

    [s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130)
---
 debian/changelog                                   |  2 +
 ...tl-fix-potential-information-leak-with-de.patch | 52 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 55 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0dbde44..32204c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
     (CVE-2016-5828)
   * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
     (CVE-2016-5829)
+  * [s390*] sclp_ctl: fix potential information leak with /dev/sclp
+    (CVE-2016-6130)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 02 Jul 2016 11:22:39 +0200
 
diff --git a/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch b/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
new file mode 100644
index 0000000..0407cb8
--- /dev/null
+++ b/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
@@ -0,0 +1,52 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Mon, 25 Apr 2016 17:54:28 +0200
+Subject: s390/sclp_ctl: fix potential information leak with /dev/sclp
+Origin: https://git.kernel.org/linus/532c34b5fbf1687df63b3fcd5b2846312ac943c6
+
+The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
+retrieve the sclp request from user space. The first copy_from_user
+fetches the length of the request which is stored in the first two
+bytes of the request. The second copy_from_user gets the complete
+sclp request, but this copies the length field a second time.
+A malicious user may have changed the length in the meantime.
+
+Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
+Reviewed-by: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+---
+ drivers/s390/char/sclp_ctl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/char/sclp_ctl.c b/drivers/s390/char/sclp_ctl.c
+index 648cb86afd42..ea607a4a1bdd 100644
+--- a/drivers/s390/char/sclp_ctl.c
++++ b/drivers/s390/char/sclp_ctl.c
+@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
+ {
+ 	struct sclp_ctl_sccb ctl_sccb;
+ 	struct sccb_header *sccb;
++	unsigned long copied;
+ 	int rc;
+ 
+ 	if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
+@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
+ 	sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ 	if (!sccb)
+ 		return -ENOMEM;
+-	if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
++	copied = PAGE_SIZE -
++		copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
++	if (offsetof(struct sccb_header, length) +
++	    sizeof(sccb->length) > copied || sccb->length > copied) {
+ 		rc = -EFAULT;
+ 		goto out_free;
+ 	}
+-	if (sccb->length > PAGE_SIZE || sccb->length < 8)
+-		return -EINVAL;
+-	if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
+-		rc = -EFAULT;
++	if (sccb->length < 8) {
++		rc = -EINVAL;
+ 		goto out_free;
+ 	}
+ 	rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
diff --git a/debian/patches/series b/debian/patches/series
index e8f0f1f..ddb9b4d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -728,3 +728,4 @@ bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
 bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
 bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
 bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
+bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list