[kernel/f15] CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 5 14:44:31 UTC 2012
commit 3bb94782bdf7141abe3cf31622af765b6d514037
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Mar 5 09:40:00 2012 -0500
CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
kernel.spec | 13 ++++-
...ent-null-pointer-reference-on-readonly-re.patch | 63 ++++++++++++++++++++
...rn-EFAULT-not-EIO-on-host-side-memory-fau.patch | 46 ++++++++++++++
3 files changed, 121 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index aa0c77f..0c697d2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# When changing real_sublevel below, reset this by hand to 1
# (or to 0 and then use rpmdev-bumpspec).
#
-%global baserelease 1
+%global baserelease 2
%global fedora_build %{baserelease}
# real_sublevel is the 3.x kernel version we're starting with
@@ -724,6 +724,10 @@ Patch21104: sony-laptop-Enable-keyboard-backlight-by-default.patch
# Disable threading in hibernate compression
Patch21105: disable-threading-in-compression-for-hibernate.patch
+#rhbz 799782 CVE-2012-1097
+Patch21106: regset-Prevent-null-pointer-reference-on-readonly-re.patch
+Patch21107: regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
+
Patch21200: unhandled-irqs-switch-to-polling.patch
%endif
@@ -1341,6 +1345,10 @@ ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
#Disable threading in hibernate compression
ApplyPatch disable-threading-in-compression-for-hibernate.patch
+#rhbz 799782 CVE-2012-1097
+ApplyPatch regset-Prevent-null-pointer-reference-on-readonly-re.patch
+ApplyPatch regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
+
ApplyPatch unhandled-irqs-switch-to-polling.patch
# END OF PATCH APPLICATIONS
@@ -1990,6 +1998,9 @@ fi
# and build.
%changelog
+* Mon Mar 05 2012 Josh Boyer <jwboyer at redhat.com>
+- CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
+
* Fri Mar 02 2012 Dave Jones <davej at redhat.com>
- Enable VM debugging in non-debug kernels too.
diff --git a/regset-Prevent-null-pointer-reference-on-readonly-re.patch b/regset-Prevent-null-pointer-reference-on-readonly-re.patch
new file mode 100644
index 0000000..6e2462e
--- /dev/null
+++ b/regset-Prevent-null-pointer-reference-on-readonly-re.patch
@@ -0,0 +1,63 @@
+From c8e252586f8d5de906385d8cf6385fee289a825e Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH 1/2] regset: Prevent null pointer reference on readonly
+ regsets
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ include/linux/regset.h | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ for (i = 1; i < view->n; ++i) {
+ const struct user_regset *regset = &view->regsets[i];
+ do_thread_regset_writeback(t->task, regset);
+- if (regset->core_note_type &&
++ if (regset->core_note_type && regset->get &&
+ (!regset->active || regset->active(t->task, regset))) {
+ int ret;
+ size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->get)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_WRITE, data, size))
+ return -EIO;
+
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->set)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_READ, data, size))
+ return -EIO;
+
+--
+1.7.7.6
+
diff --git a/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch b/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
new file mode 100644
index 0000000..21b8ae1
--- /dev/null
+++ b/regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
@@ -0,0 +1,46 @@
+From 5189fa19a4b2b4c3bec37c3a019d446148827717 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:49 -0800
+Subject: [PATCH 2/2] regset: Return -EFAULT, not -EIO, on host-side memory
+ fault
+
+There is only one error code to return for a bad user-space buffer
+pointer passed to a system call in the same address space as the
+system call is executed, and that is EFAULT. Furthermore, the
+low-level access routines, which catch most of the faults, return
+EFAULT already.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ include/linux/regset.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 5150fd1..686f373 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -339,7 +339,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ return -EOPNOTSUPP;
+
+ if (!access_ok(VERIFY_WRITE, data, size))
+- return -EIO;
++ return -EFAULT;
+
+ return regset->get(target, regset, offset, size, NULL, data);
+ }
+@@ -365,7 +365,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ return -EOPNOTSUPP;
+
+ if (!access_ok(VERIFY_READ, data, size))
+- return -EIO;
++ return -EFAULT;
+
+ return regset->set(target, regset, offset, size, NULL, data);
+ }
+--
+1.7.7.6
+
More information about the scm-commits
mailing list