Commit 52e5279a authored by Dann Frazier's avatar Dann Frazier

* bugfix/cpuset_tasks-underflow.patch

  [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
  local attackers to read sensitive kernel memory if the cpuset filesystem
  is mounted.
  See CVE-2007-2875

svn path=/dists/etch-security/linux-2.6/; revision=9386
parent d7a4b9d0
......@@ -4,8 +4,13 @@ linux-2.6 (2.6.18.dfsg.1-13etch2) UNRELEASED; urgency=low
[SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
and check for out of bounds condition in index provided by userspace
See CVE-2007-2172
* bugfix/cpuset_tasks-underflow.patch
[SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
local attackers to read sensitive kernel memory if the cpuset filesystem
is mounted.
See CVE-2007-2875
-- dann frazier <dannf@debian.org> Mon, 27 Aug 2007 22:16:19 -0600
-- dann frazier <dannf@debian.org> Mon, 27 Aug 2007 22:32:44 -0600
linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
......
From: Akinobu Mita <akinobu.mita@gmail.com>
Date: Wed, 9 May 2007 09:33:33 +0000 (-0700)
Subject: use simple_read_from_buffer in kernel/
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006
use simple_read_from_buffer in kernel/
Cleanup using simple_read_from_buffer() for /dev/cpuset/tasks and
/proc/config.gz.
Cc: Paul Jackson <pj@sgi.com>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/kernel/configs.c linux-source-2.6.18/kernel/configs.c
--- linux-source-2.6.18.orig/kernel/configs.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/kernel/configs.c 2007-08-27 22:30:10.774211736 -0600
@@ -61,18 +61,9 @@ static ssize_t
ikconfig_read_current(struct file *file, char __user *buf,
size_t len, loff_t * offset)
{
- loff_t pos = *offset;
- ssize_t count;
-
- if (pos >= kernel_config_data_size)
- return 0;
-
- count = min(len, (size_t)(kernel_config_data_size - pos));
- if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count))
- return -EFAULT;
-
- *offset += count;
- return count;
+ return simple_read_from_buffer(buf, len, offset,
+ kernel_config_data + MAGIC_SIZE,
+ kernel_config_data_size);
}
static struct file_operations ikconfig_file_ops = {
diff -urpN linux-source-2.6.18.orig/kernel/cpuset.c linux-source-2.6.18/kernel/cpuset.c
--- linux-source-2.6.18.orig/kernel/cpuset.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/kernel/cpuset.c 2007-08-27 22:30:10.778211823 -0600
@@ -1743,12 +1743,7 @@ static ssize_t cpuset_tasks_read(struct
{
struct ctr_struct *ctr = file->private_data;
- if (*ppos + nbytes > ctr->bufsz)
- nbytes = ctr->bufsz - *ppos;
- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
- return -EFAULT;
- *ppos += nbytes;
- return nbytes;
+ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
}
static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
+ bugfix/ipv4-fib_props-out-of-bounds.patch
+ bugfix/cpuset_tasks-underflow.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment