r2175 - trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches

Sat, 08 Jan 2005 02:20:40 +0100

Author: dilinger-guest
Date: 2005-01-08 02:20:39 +0100 (Sat, 08 Jan 2005)
New Revision: 2175

Modified:
   trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
Log:
grab james bottomley's fix


Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
===================================================================

--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch	2005-01-07 23:30:58 UTC (rev 2174)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch	2005-01-08 01:20:39 UTC (rev 2175)
@@ -2,58 +2,42 @@
 ## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: Description: [SECURITY] make SG ioctl stuff validate integers before passing to get_user and friends
-## DP: Patch author: Andres Salomon <dilinger@voxel.net>
-## DP: Upstream status: not yet submitted
+## DP: Description: [SECURITY] Fix exploitable hole in sg_scsi_ioctl
+## DP: Patch author: James Bottomley <James.Bottomley@SteelEye.com>
+## DP: Upstream status: backported from scsi-misc
 
 . $(dirname $0)/DPATCH
 
 @DPATCH@
-Revision: linux-drivers-block--scsi-ioctl-overflow--0--patch-1
-Archive: dilinger@voxel.net--2005-public
-Creator: Andres Salomon <dilinger@voxel.net>
-Date: Fri Jan  7 18:20:43 EST 2005
-Standard-date: 2005-01-07 23:20:43 GMT
-Modified-files: scsi_ioctl.c
-New-patches: dilinger@voxel.net--2005-public/linux-drivers-block--scsi-ioctl-overflow--0--patch-1
-Summary: check user-supplied lengths during SG ioctls
-Keywords: 
-
-http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html
-
-Check that the values we're getting for lengths are sane before doing any
-processing on the data supplied by the user.
-
-
-
-* modified files
-
---- orig/drivers/block/scsi_ioctl.c
-+++ mod/drivers/block/scsi_ioctl.c
-@@ -347,9 +347,11 @@
- 	 */
- 	if (get_user(in_len, &sic->inlen))
- 		return -EFAULT;
-+	if (in_len < 0 || in_len > PAGE_SIZE)
-+		return -EINVAL;
- 	if (get_user(out_len, &sic->outlen))
- 		return -EFAULT;
--	if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
-+	if (out_len < 0 || out_len > PAGE_SIZE)
- 		return -EINVAL;
- 	if (get_user(opcode, sic->data))
- 		return -EFAULT;
-@@ -366,6 +368,10 @@
- 	rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/07 16:38:51-05:00 jejb@mulgrave.(none) 
+#   Fix exploitable hole in sg_scsi_ioctl
+#   
+#   in_len and out_len are signed quantites copied from
+#   user space but are only checked to see if they're >
+#   PAGE_SIZE.  The exploit would be to pass in a negative
+#   quantity which would pass the check.
+#   
+#   Fix by making them unsigned.
+#   
+#   Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+# 
+# drivers/block/scsi_ioctl.c
+#   2005/01/07 16:36:05-05:00 jejb@mulgrave.(none) +2 -1
+#   Fix exploitable hole in sg_scsi_ioctl
+# 
+diff -Nru a/drivers/block/scsi_ioctl.c b/drivers/block/scsi_ioctl.c
+--- a/drivers/block/scsi_ioctl.c	2005-01-07 17:24:38 -08:00
++++ b/drivers/block/scsi_ioctl.c	2005-01-07 17:24:38 -08:00
+@@ -339,7 +339,8 @@
+ 			 struct gendisk *bd_disk, Scsi_Ioctl_Command __user *sic)
+ {
+ 	struct request *rq;
+-	int err, in_len, out_len, bytes, opcode, cmdlen;
++	int err;
++	unsigned int in_len, out_len, bytes, opcode, cmdlen;
+ 	char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
  
- 	cmdlen = COMMAND_SIZE(opcode);
-+	if (cmdlen < 0 || cmdlen > PAGE_SIZE) {
-+		err = -EINVAL;
-+		goto error;
-+	}
- 
  	/*
- 	 * get command and data to send to device, if any
-
-
-



