Date: Wed, 28 Apr 2004 14:44:15 -0700
From: Chris Wright <chrisw@osdl.org>
To: vendor-sec@lst.de
Subject: Re: [vendor-sec] [hmh@debian.org: Re: kernel security problems
    again?]

* Matt Zimmerman (mdz@debian.org) wrote:
> Does anyone have details about these?  Are there genuine vulnerabilities
> here?

I'd say the e1000 is the worst of the bunch.
> ----- Forwarded message from Henrique de Moraes Holschuh <hmh@debian.org>
-----
> 
> Date: Fri, 23 Apr 2004 10:50:58 -0300
> From: Henrique de Moraes Holschuh <hmh@debian.org>
> Resent-From: debian-security@lists.debian.org
> To: debian-security@lists.debian.org
> Subject: Re: kernel security problems again?
> 
> On Fri, 23 Apr 2004, Giacomo Mulas wrote:
> >     * Fix potential memory leak in devpts

This is small leak during a mount, which seems like a small issue, but
if you're fixing things up...

> >     * Fix potential memory access to free memory in /proc handling

I don't recall if it's easily trigered.  Fix is trivial, so, again, if
you're fixing things up...

> There is also:
>       * e1000: fix probable security hole

This hole allows reading kernel memory.  The patch (2.6, but should
be same against 2.4) is below:

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

===== drivers/net/e1000/e1000_ethtool.c 1.42 vs edited =====
--- 1.42/drivers/net/e1000/e1000_ethtool.c     Fri Apr  9 16:39:34 2004
+++ edited/drivers/net/e1000/e1000_ethtool.c   Fri Apr 16 11:20:03 2004
@@ -1514,6 +1514,9 @@
 
       if(copy_from_user(&regs, addr, sizeof(regs)))

       return -EFAULT;
+      memset(regs_buff, 0, sizeof(regs_buff));
+      if (regs.len > E1000_REGS_LEN)
+      regs.len = E1000_REGS_LEN;
       e1000_ethtool_gregs(adapter, &regs, regs_buff);
       if(copy_to_user(addr, &regs, sizeof(regs)))
       return -EFAULT;


Should be something for STABLE.