From: Prarit Bhargava <prarit@redhat.com> Subject: [RHEL5.1 PATCH]: BZ 242811 CVE-2007-2875 cpuset information leak Date: Tue, 12 Jun 2007 08:30:28 -0400 Bugzilla: 242811 Message-Id: <20070612123028.31045.64690.sendpatchset@prarit.boston.redhat.com> Changelog: [misc] cpuset information leak Backport of http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=85badbdf5120d246ce2bb3f1a7689a805f9c9006;hp=92f4c701aad794de9e4cf7341d0a486aed027c46 Resolves BZ 242811, CVE-2007-2875. Successfully tested by me on altix2. --- linux-2.6.18.ia64.orig/kernel/configs.c 2007-06-11 15:01:28.000000000 -0400 +++ linux-2.6.18.ia64/kernel/configs.c 2007-06-11 17:18:05.000000000 -0400 @@ -61,18 +61,9 @@ static ssize_t ikconfig_read_current(struct file *file, char __user *buf, size_t len, loff_t * offset) { - loff_t pos = *offset; - ssize_t count; - - if (pos >= kernel_config_data_size) - return 0; - - count = min(len, (size_t)(kernel_config_data_size - pos)); - if (copy_to_user(buf, kernel_config_data + MAGIC_SIZE + pos, count)) - return -EFAULT; - - *offset += count; - return count; + return simple_read_from_buffer(buf, len, offset, + kernel_config_data + MAGIC_SIZE, + kernel_config_data_size); } static struct file_operations ikconfig_file_ops = { --- linux-2.6.18.ia64.orig/kernel/cpuset.c 2007-06-11 15:01:28.000000000 -0400 +++ linux-2.6.18.ia64/kernel/cpuset.c 2007-06-11 17:18:05.000000000 -0400 @@ -1742,12 +1742,7 @@ static ssize_t cpuset_tasks_read(struct { struct ctr_struct *ctr = file->private_data; - if (*ppos + nbytes > ctr->bufsz) - nbytes = ctr->bufsz - *ppos; - if (copy_to_user(buf, ctr->buf + *ppos, nbytes)) - return -EFAULT; - *ppos += nbytes; - return nbytes; + return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz); } static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)