rpms/kernel/F-10 do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch, NONE, 1.1 kernel.spec, 1.1404, 1.1405

Wed Aug 19 14:21:16 UTC 2009

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30444

Modified Files:
	kernel.spec 
Added Files:
	do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch 
Log Message:
CVE-2009-2847 fix kernel information leak in sigaltstack

do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch:
 signal.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- NEW FILE do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch ---
From: Linus Torvalds <torvalds at linux-foundation.org>
Date: Sat, 1 Aug 2009 17:34:56 +0000 (-0700)
Subject: do_sigaltstack: avoid copying 'stack_t' as a structure to user space
X-Git-Tag: v2.6.31-rc6~89
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0083fc2c50e6c5127c2802ad323adf8143ab7856

do_sigaltstack: avoid copying 'stack_t' as a structure to user space

Ulrich Drepper correctly points out that there is generally padding in
the structure on 64-bit hosts, and that copying the structure from
kernel to user space can leak information from the kernel stack in those
padding bytes.

Avoid the whole issue by just copying the three members one by one
instead, which also means that the function also can avoid the need for
a stack frame.  This also happens to match how we copy the new structure
from user space, so it all even makes sense.

[ The obvious solution of adding a memset() generates horrid code, gcc
  does really stupid things. ]

Reported-by: Ulrich Drepper <drepper at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---

diff --git a/kernel/signal.c b/kernel/signal.c
index ccf1cee..f268372 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2454,11 +2454,9 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, unsigned long s
 	stack_t oss;
 	int error;
 
-	if (uoss) {
-		oss.ss_sp = (void __user *) current->sas_ss_sp;
-		oss.ss_size = current->sas_ss_size;
-		oss.ss_flags = sas_ss_flags(sp);
-	}
+	oss.ss_sp = (void __user *) current->sas_ss_sp;
+	oss.ss_size = current->sas_ss_size;
+	oss.ss_flags = sas_ss_flags(sp);
 
 	if (uss) {
 		void __user *ss_sp;
@@ -2501,13 +2499,16 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, unsigned long s
 		current->sas_ss_size = ss_size;
 	}
 
+	error = 0;
 	if (uoss) {
 		error = -EFAULT;
-		if (copy_to_user(uoss, &oss, sizeof(oss)))
+		if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
 			goto out;
+		error = __put_user(oss.ss_sp, &uoss->ss_sp) |
+			__put_user(oss.ss_size, &uoss->ss_size) |
+			__put_user(oss.ss_flags, &uoss->ss_flags);
 	}
 
-	error = 0;
 out:
 	return error;
 }


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1404
retrieving revision 1.1405
diff -u -p -r1.1404 -r1.1405
--- kernel.spec	19 Aug 2009 05:13:15 -0000	1.1404
+++ kernel.spec	19 Aug 2009 14:21:15 -0000	1.1405
@@ -754,7 +754,6 @@ Patch9600: linux-2.6-bluetooth-submit-bu
 Patch10000: linux-2.6-ftrace-memory-reduction.patch
 
 Patch11000: linux-2.6-parport-quickfix-the-proc-registration-bug.patch
-Patch11100: linux-2.6-dev-zero-avoid-oom-lockup.patch
 Patch11020: linux-2.6-usb-remove-low-latency-hack.patch
 Patch11030: linux-2.6-x86-delay-tsc-barrier.patch
 # security fixes from the F-11 2.6.29.6 kernel
@@ -764,6 +763,9 @@ Patch11060: personality-fix-per_clear_on
 Patch11070: execve-must-clear-current-clear_child_tid.patch
 Patch11080: make-mmap_min_addr-suck-less.patch
 Patch11090: md-avoid-dereferencing-NULL-ptr-suspend-sysfs.patch
+Patch11091: do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
+
+Patch11100: linux-2.6-dev-zero-avoid-oom-lockup.patch
 
 %endif
 
@@ -1450,6 +1452,9 @@ ApplyPatch make-mmap_min_addr-suck-less.
 # CVE-2009-2849
 ApplyPatch md-avoid-dereferencing-NULL-ptr-suspend-sysfs.patch
 
+# CVE-2009-2847
+ApplyPatch do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
+
 # ======= END OF PATCH APPLICATIONS =============================
 
 %endif
@@ -2032,6 +2037,8 @@ fi
   to improve mmap_min_addr.
 - CVE-2009-2849: md: avoid dereferencing null ptr when accessing suspend
   sysfs attributes.
+- CVE-2009-2847: do_sigaltstack: avoid copying 'stack_t' as a structure
+  to user space
 
 * Tue Aug 18 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.29.6-99
 - Intel wireless fixes from Fedora 11:


