Author: dannf
Date: Wed Jan 16 07:37:12 2008
New Revision: 10123
Log:
* bugfix/do_brk-security-hook.patch
Add security checks to do_brk() to prevent unprivileged users from
accessing low memory pages
See CVE-2007-6434
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/17etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Jan 16 07:37:12 2008
@@ -16,8 +16,12 @@
local user to read potentially sensitive kernel memory from the proc
filesystem
See CVE-2007-4571
+ * bugfix/do_brk-security-hook.patch
+ Add security checks to do_brk() to prevent unprivileged users from
+ accessing low memory pages
+ See CVE-2007-6434
- -- dann frazier <[EMAIL PROTECTED]> Tue, 15 Jan 2008 16:44:15 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Wed, 16 Jan 2008 00:31:52 -0700
linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch
Wed Jan 16 07:37:12 2008
@@ -0,0 +1,34 @@
+commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
+Author: Eric Paris <[EMAIL PROTECTED]>
+Date: Tue Dec 4 23:45:31 2007 -0800
+
+ VM/Security: add security hook to do_brk
+
+ Given a specifically crafted binary do_brk() can be used to get low pages
+ available in userspace virtual memory and can thus be used to circumvent
+ the mmap_min_addr low memory protection. Add security checks in do_brk().
+
+ Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
+ Acked-by: Alan Cox <[EMAIL PROTECTED]>
+ Cc: Stephen Smalley <[EMAIL PROTECTED]>
+ Cc: James Morris <[EMAIL PROTECTED]>
+ Cc: Chris Wright <[EMAIL PROTECTED]>
+ Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+ Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN linux-source-2.6.18.orig/mm/mmap.c linux-source-2.6.18/mm/mmap.c
+--- linux-source-2.6.18.orig/mm/mmap.c 2008-01-15 16:46:27.000000000 -0700
++++ linux-source-2.6.18/mm/mmap.c 2008-01-16 00:28:42.000000000 -0700
+@@ -1883,6 +1883,10 @@ unsigned long do_brk(unsigned long addr,
+ if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ return -EINVAL;
+
++ error = security_file_mmap(0, 0, 0, 0, addr, 1);
++ if (error)
++ return error;
++
+ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+
+ error = arch_mmap_check(addr, len, flags);
Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/17etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Wed Jan 16
07:37:12 2008
@@ -3,3 +3,4 @@
+ bugfix/fat-move-ioctl-compat-code.patch
+ bugfix/fat-fix-compat-ioctls.patch
+ bugfix/proc-snd-page-alloc-mem-leak.patch
++ bugfix/do_brk-security-hook.patch
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
