Author: dannf Date: Wed Jan 16 07:37:12 2008 New Revision: 10123 Log: * bugfix/do_brk-security-hook.patch Add security checks to do_brk() to prevent unprivileged users from accessing low memory pages See CVE-2007-6434
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/17etch1 Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Wed Jan 16 07:37:12 2008 @@ -16,8 +16,12 @@ local user to read potentially sensitive kernel memory from the proc filesystem See CVE-2007-4571 + * bugfix/do_brk-security-hook.patch + Add security checks to do_brk() to prevent unprivileged users from + accessing low memory pages + See CVE-2007-6434 - -- dann frazier <[EMAIL PROTECTED]> Tue, 15 Jan 2008 16:44:15 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 16 Jan 2008 00:31:52 -0700 linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high Added: dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/do_brk-security-hook.patch Wed Jan 16 07:37:12 2008 @@ -0,0 +1,34 @@ +commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5 +Author: Eric Paris <[EMAIL PROTECTED]> +Date: Tue Dec 4 23:45:31 2007 -0800 + + VM/Security: add security hook to do_brk + + Given a specifically crafted binary do_brk() can be used to get low pages + available in userspace virtual memory and can thus be used to circumvent + the mmap_min_addr low memory protection. Add security checks in do_brk(). + + Signed-off-by: Eric Paris <[EMAIL PROTECTED]> + Acked-by: Alan Cox <[EMAIL PROTECTED]> + Cc: Stephen Smalley <[EMAIL PROTECTED]> + Cc: James Morris <[EMAIL PROTECTED]> + Cc: Chris Wright <[EMAIL PROTECTED]> + Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> + Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> + +Adjusted to apply to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN linux-source-2.6.18.orig/mm/mmap.c linux-source-2.6.18/mm/mmap.c +--- linux-source-2.6.18.orig/mm/mmap.c 2008-01-15 16:46:27.000000000 -0700 ++++ linux-source-2.6.18/mm/mmap.c 2008-01-16 00:28:42.000000000 -0700 +@@ -1883,6 +1883,10 @@ unsigned long do_brk(unsigned long addr, + if ((addr + len) > TASK_SIZE || (addr + len) < addr) + return -EINVAL; + ++ error = security_file_mmap(0, 0, 0, 0, addr, 1); ++ if (error) ++ return error; ++ + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; + + error = arch_mmap_check(addr, len, flags); Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1 ============================================================================== --- dists/etch-security/linux-2.6/debian/patches/series/17etch1 (original) +++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Wed Jan 16 07:37:12 2008 @@ -3,3 +3,4 @@ + bugfix/fat-move-ioctl-compat-code.patch + bugfix/fat-fix-compat-ioctls.patch + bugfix/proc-snd-page-alloc-mem-leak.patch ++ bugfix/do_brk-security-hook.patch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes