[linux] 03/03: [s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Jul 2 10:04:40 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit f512e08a16bf39069c81dbb82a4531ddaf855533
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jul 2 12:03:52 2016 +0200
[s390*] sclp_ctl: fix potential information leak with /dev/sclp (CVE-2016-6130)
---
debian/changelog | 2 +
...tl-fix-potential-information-leak-with-de.patch | 52 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 55 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 0dbde44..32204c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
(CVE-2016-5828)
* HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
(CVE-2016-5829)
+ * [s390*] sclp_ctl: fix potential information leak with /dev/sclp
+ (CVE-2016-6130)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 02 Jul 2016 11:22:39 +0200
diff --git a/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch b/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
new file mode 100644
index 0000000..0407cb8
--- /dev/null
+++ b/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
@@ -0,0 +1,52 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Mon, 25 Apr 2016 17:54:28 +0200
+Subject: s390/sclp_ctl: fix potential information leak with /dev/sclp
+Origin: https://git.kernel.org/linus/532c34b5fbf1687df63b3fcd5b2846312ac943c6
+
+The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
+retrieve the sclp request from user space. The first copy_from_user
+fetches the length of the request which is stored in the first two
+bytes of the request. The second copy_from_user gets the complete
+sclp request, but this copies the length field a second time.
+A malicious user may have changed the length in the meantime.
+
+Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
+Reviewed-by: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+---
+ drivers/s390/char/sclp_ctl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/char/sclp_ctl.c b/drivers/s390/char/sclp_ctl.c
+index 648cb86afd42..ea607a4a1bdd 100644
+--- a/drivers/s390/char/sclp_ctl.c
++++ b/drivers/s390/char/sclp_ctl.c
+@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
+ {
+ struct sclp_ctl_sccb ctl_sccb;
+ struct sccb_header *sccb;
++ unsigned long copied;
+ int rc;
+
+ if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
+@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
+ sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ if (!sccb)
+ return -ENOMEM;
+- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
++ copied = PAGE_SIZE -
++ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
++ if (offsetof(struct sccb_header, length) +
++ sizeof(sccb->length) > copied || sccb->length > copied) {
+ rc = -EFAULT;
+ goto out_free;
+ }
+- if (sccb->length > PAGE_SIZE || sccb->length < 8)
+- return -EINVAL;
+- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
+- rc = -EFAULT;
++ if (sccb->length < 8) {
++ rc = -EINVAL;
+ goto out_free;
+ }
+ rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
diff --git a/debian/patches/series b/debian/patches/series
index e8f0f1f..ddb9b4d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -728,3 +728,4 @@ bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
+bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list