[kernel/f15] CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets

Josh Boyer jwboyer at fedoraproject.org
Mon Mar 5 14:44:31 UTC 2012 

commit 3bb94782bdf7141abe3cf31622af765b6d514037
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Mar 5 09:40:00 2012 -0500

    CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets

 kernel.spec                                        |   13 ++++-
 ...ent-null-pointer-reference-on-readonly-re.patch |   63 ++++++++++++++++++++
 ...rn-EFAULT-not-EIO-on-host-side-memory-fau.patch |   46 ++++++++++++++
 3 files changed, 121 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index aa0c77f..0c697d2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # When changing real_sublevel below, reset this by hand to 1
 # (or to 0 and then use rpmdev-bumpspec).
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # real_sublevel is the 3.x kernel version we're starting with
@@ -724,6 +724,10 @@ Patch21104: sony-laptop-Enable-keyboard-backlight-by-default.patch
 # Disable threading in hibernate compression
 Patch21105: disable-threading-in-compression-for-hibernate.patch
 
+#rhbz 799782 CVE-2012-1097
+Patch21106: regset-Prevent-null-pointer-reference-on-readonly-re.patch
+Patch21107: regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
+
 Patch21200: unhandled-irqs-switch-to-polling.patch
 
 %endif
@@ -1341,6 +1345,10 @@ ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
 #Disable threading in hibernate compression
 ApplyPatch disable-threading-in-compression-for-hibernate.patch
 
+#rhbz 799782 CVE-2012-1097
+ApplyPatch regset-Prevent-null-pointer-reference-on-readonly-re.patch
+ApplyPatch regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
+
 ApplyPatch unhandled-irqs-switch-to-polling.patch
 
 # END OF PATCH APPLICATIONS
@@ -1990,6 +1998,9 @@ fi
 # and build.
 
 %changelog
+* Mon Mar 05 2012 Josh Boyer <jwboyer at redhat.com>
+- CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
+
 * Fri Mar 02 2012 Dave Jones <davej at redhat.com>
 - Enable VM debugging in non-debug kernels too.
 
diff --git a/regset-Prevent-null-pointer-reference-on-readonly-re.patch b/regset-Prevent-null-pointer-reference-on-readonly-re.patch
new file mode 100644
index 0000000..6e2462e
--- /dev/null
+++ b/regset-Prevent-null-pointer-reference-on-readonly-re.patch
@@ -0,0 +1,63 @@
+From c8e252586f8d5de906385d8cf6385fee289a825e Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH 1/2] regset: Prevent null pointer reference on readonly
+ regsets
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c        |    2 +-
+ include/linux/regset.h |    6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ 	for (i = 1; i < view->n; ++i) {
+ 		const struct user_regset *regset = &view->regsets[i];
+ 		do_thread_regset_writeback(t->task, regset);
+-		if (regset->core_note_type &&
++		if (regset->core_note_type && regset->get &&
+ 		    (!regset->active || regset->active(t->task, regset))) {
+ 			int ret;
+ 			size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->get)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_WRITE, data, size))
+ 		return -EIO;
+ 
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->set)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_READ, data, size))
+ 		return -EIO;
+ 
+-- 
+1.7.7.6
+
diff --git a/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch b/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
new file mode 100644
index 0000000..21b8ae1
--- /dev/null
+++ b/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
@@ -0,0 +1,46 @@
+From 5189fa19a4b2b4c3bec37c3a019d446148827717 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:49 -0800
+Subject: [PATCH 2/2] regset: Return -EFAULT, not -EIO, on host-side memory
+ fault
+
+There is only one error code to return for a bad user-space buffer
+pointer passed to a system call in the same address space as the
+system call is executed, and that is EFAULT.  Furthermore, the
+low-level access routines, which catch most of the faults, return
+EFAULT already.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ include/linux/regset.h |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 5150fd1..686f373 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -339,7 +339,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ 		return -EOPNOTSUPP;
+ 
+ 	if (!access_ok(VERIFY_WRITE, data, size))
+-		return -EIO;
++		return -EFAULT;
+ 
+ 	return regset->get(target, regset, offset, size, NULL, data);
+ }
+@@ -365,7 +365,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ 		return -EOPNOTSUPP;
+ 
+ 	if (!access_ok(VERIFY_READ, data, size))
+-		return -EIO;
++		return -EFAULT;
+ 
+ 	return regset->set(target, regset, offset, size, NULL, data);
+ }
+-- 
+1.7.7.6
+

More information about the scm-commits mailing list