[Glibc-bsd-commits] r3166 - in trunk/kfreebsd-8/debian: . patches

Tue Aug 17 18:44:15 UTC 2010

Author: aurel32
Date: 2010-08-17 18:44:15 +0000 (Tue, 17 Aug 2010)
New Revision: 3166

Added:
   trunk/kfreebsd-8/debian/patches/000_coda.diff
Modified:
   trunk/kfreebsd-8/debian/changelog
   trunk/kfreebsd-8/debian/patches/series
Log:
  * Fix Coda filesystem kernel memory disclosure (CVE-2010-3014).



Modified: trunk/kfreebsd-8/debian/changelog
===================================================================

--- trunk/kfreebsd-8/debian/changelog	2010-08-17 18:02:52 UTC (rev 3165)
+++ trunk/kfreebsd-8/debian/changelog	2010-08-17 18:44:15 UTC (rev 3166)
@@ -1,9 +1,10 @@
-kfreebsd-8 (8.1-5) UNRELEASED; urgency=low
+kfreebsd-8 (8.1-5) UNRELEASED; urgency=medium
 
   * Correctly update a root filesystem to read/write when the mount 
     options are passed as flags instead of iovec, like in busybox.
+  * Fix Coda filesystem kernel memory disclosure (CVE-2010-3014).
 
- -- Aurelien Jarno <aurel32 at debian.org>  Tue, 17 Aug 2010 19:00:29 +0200
+ -- Aurelien Jarno <aurel32 at debian.org>  Tue, 17 Aug 2010 20:41:40 +0200
 
 kfreebsd-8 (8.1-4) unstable; urgency=low
 

Added: trunk/kfreebsd-8/debian/patches/000_coda.diff
===================================================================
--- trunk/kfreebsd-8/debian/patches/000_coda.diff	                        (rev 0)
+++ trunk/kfreebsd-8/debian/patches/000_coda.diff	2010-08-17 18:44:15 UTC (rev 3166)
@@ -0,0 +1,50 @@
+--- a/sys/fs/coda/coda.h
++++ b/sys/fs/coda/coda.h
+@@ -41,7 +41,9 @@
+ #ifndef _CODA_HEADER_
+ #define _CODA_HEADER_
+ 
++#ifdef _KERNEL
+ #include "opt_coda.h"	/* for CODA_COMPAT_5 option */
++#endif
+ 
+ /* Avoid CODA_COMPAT_5 redefinition in coda5 module */
+ #if defined (CODA5_MODULE) && !defined(CODA_COMPAT_5)
+@@ -782,8 +784,8 @@
+ #define PIOCPARM_MASK 0x0000ffff
+ struct ViceIoctl {
+         caddr_t in, out;        /* Data to be transferred in, or out */
+-        short in_size;          /* Size of input buffer <= 2K */
+-        short out_size;         /* Maximum size of output buffer, <= 2K */
++        unsigned short in_size;	/* Size of input buffer <= 8K */
++        unsigned short out_size; /* Maximum size of output buffer, <= 8K */
+ };
+ 
+ #if defined(__CYGWIN32__) || defined(DJGPP)
+--- a/sys/fs/coda/coda_venus.c
++++ b/sys/fs/coda/coda_venus.c
+@@ -274,6 +274,12 @@
+ 	tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int);
+ 	inp->cmd |= (tmp & IOCPARM_MASK) << 16;
+ 
++	if (iap->vi.in_size > VC_MAXMSGSIZE ||
++	    iap->vi.out_size > VC_MAXMSGSIZE) {
++		CODA_FREE(inp, coda_ioctl_size);
++		return (EINVAL);
++	}
++
+ 	inp->rwflag = flag;
+ 	inp->len = iap->vi.in_size;
+ 	inp->data = (char *)(sizeof (struct coda_ioctl_in));
+--- a/sys/fs/coda/coda_vnops.c
++++ b/sys/fs/coda/coda_vnops.c
+@@ -471,7 +471,8 @@
+ 		    iap->path)););
+ 		return (EINVAL);
+ 	}
+-	if (iap->vi.in_size > VC_MAXDATASIZE) {
++	if (iap->vi.in_size > VC_MAXDATASIZE ||
++	    iap->vi.out_size > VC_MAXDATASIZE) {
+ 		NDFREE(&ndp, 0);
+ 		return (EINVAL);
+ 	}

Modified: trunk/kfreebsd-8/debian/patches/series
===================================================================
--- trunk/kfreebsd-8/debian/patches/series	2010-08-17 18:02:52 UTC (rev 3165)
+++ trunk/kfreebsd-8/debian/patches/series	2010-08-17 18:44:15 UTC (rev 3166)
@@ -1,5 +1,6 @@
 000_adaptive_machine_arch.diff 
 000_ata.diff
+000_coda.diff
 000_ufs_lookup.diff  
 001_misc.diff
 003_glibc_dev_aicasm.diff


