[kernel] r7177 - in dists/sid/linux-2.6.16/debian: . patches

Dann Frazier dannf at costa.debian.org
Thu Aug 17 03:27:11 UTC 2006 

Author: dannf
Date: Thu Aug 17 03:27:10 2006
New Revision: 7177

Added:
   dists/sid/linux-2.6.16/debian/patches/usb-serial-ftdi_sio-dos.patch
Modified:
   dists/sid/linux-2.6.16/debian/changelog
   dists/sid/linux-2.6.16/debian/patches/series/18

Log:
* usb-serial-ftdi_sio-dos.patch: fix userspace DoS in ftdi_sio driver

Modified: dists/sid/linux-2.6.16/debian/changelog
==============================================================================
--- dists/sid/linux-2.6.16/debian/changelog	(original)
+++ dists/sid/linux-2.6.16/debian/changelog	Thu Aug 17 03:27:10 2006
@@ -8,14 +8,12 @@
   * fs-ext3-bad-nfs-handle.patch: avoid triggering ext3_error on bad NFS
     file handle (CVE-2006-3468)
   * cdrom-bad-cgc.buflen-assign.patch: fix buffer overflow in dvd_read_bca
-    which could potentially be used by a local user to trigger a buffer
-    overflow via a specially crafted DVD, USB stick, or similar automatically
-    mounted device (CVE-2006-2935)
+  * usb-serial-ftdi_sio-dos.patch: fix userspace DoS in ftdi_sio driver
 
   [ Bastian Blank ]
   * Update xen patch to changeset 9762.
 
- -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 21:11:12 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 21:25:43 -0600
 
 linux-2.6.16 (2.6.16-17) unstable; urgency=high
 

Modified: dists/sid/linux-2.6.16/debian/patches/series/18
==============================================================================
--- dists/sid/linux-2.6.16/debian/patches/series/18	(original)
+++ dists/sid/linux-2.6.16/debian/patches/series/18	Thu Aug 17 03:27:10 2006
@@ -1,2 +1,3 @@
 + fs-ext3-bad-nfs-handle.patch
 + cdrom-bad-cgc.buflen-assign.patch
++ usb-serial-ftdi_sio-dos.patch

Added: dists/sid/linux-2.6.16/debian/patches/usb-serial-ftdi_sio-dos.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6.16/debian/patches/usb-serial-ftdi_sio-dos.patch	Thu Aug 17 03:27:10 2006
@@ -0,0 +1,183 @@
+From: Ian Abbott <abbotti at mev.co.uk>
+Date: Mon, 26 Jun 2006 11:59:17 +0000 (+0100)
+Subject: USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commitdiff;h=ba4532fa45b99a866d253877372f086503a944c6
+
+USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)
+
+This patch limits the amount of outstanding 'write' data that can be
+queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
+simple accidents) that use up all the system memory by writing lots of
+data to the serial port.
+
+The original patch was by Guillaume Autran, who in turn based it on the
+same mechanism implemented in the 'visor' driver.  I (Ian Abbott)
+re-targeted the patch to the latest sources, fixed a couple of errors,
+renamed his new structure members, and updated the implementations of
+the 'write_room' and 'chars_in_buffer' methods to take account of the
+number of outstanding 'write' bytes.  It seems to work fine, though at
+low baud rates it is still possible to queue up an amount of data that
+takes an age to shift (a job for another day!).
+
+Signed-off-by: Ian Abbott <abbotti at mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -553,6 +553,10 @@ struct ftdi_private {
+ 
+ 	int force_baud;		/* if non-zero, force the baud rate to this value */
+ 	int force_rtscts;	/* if non-zero, force RTS-CTS to always be enabled */
++
++	spinlock_t tx_lock;	/* spinlock for transmit state */
++	unsigned long tx_outstanding_bytes;
++	unsigned long tx_outstanding_urbs;
+ };
+ 
+ /* Used for TIOCMIWAIT */
+@@ -626,6 +630,9 @@ static struct usb_serial_driver ftdi_sio
+ #define HIGH 1
+ #define LOW 0
+ 
++/* number of outstanding urbs to prevent userspace DoS from happening */
++#define URB_UPPER_LIMIT	42
++
+ /*
+  * ***************************************************************************
+  * Utlity functions
+@@ -1156,6 +1163,7 @@ static int ftdi_sio_attach (struct usb_s
+ 	}
+ 
+ 	spin_lock_init(&priv->rx_lock);
++	spin_lock_init(&priv->tx_lock);
+         init_waitqueue_head(&priv->delta_msr_wait);
+ 	/* This will push the characters through immediately rather
+ 	   than queue a task to deliver them */
+@@ -1372,6 +1380,7 @@ static int ftdi_write (struct usb_serial
+ 	int data_offset ;       /* will be 1 for the SIO and 0 otherwise */
+ 	int status;
+ 	int transfer_size;
++	unsigned long flags;
+ 
+ 	dbg("%s port %d, %d bytes", __FUNCTION__, port->number, count);
+ 
+@@ -1379,6 +1388,13 @@ static int ftdi_write (struct usb_serial
+ 		dbg("write request of 0 bytes");
+ 		return 0;
+ 	}
++	spin_lock_irqsave(&priv->tx_lock, flags);
++	if (priv->tx_outstanding_urbs > URB_UPPER_LIMIT) {
++		spin_unlock_irqrestore(&priv->tx_lock, flags);
++		dbg("%s - write limit hit\n", __FUNCTION__);
++		return 0;
++	}
++	spin_unlock_irqrestore(&priv->tx_lock, flags);
+ 	
+ 	data_offset = priv->write_offset;
+         dbg("data_offset set to %d",data_offset);
+@@ -1445,6 +1461,11 @@ static int ftdi_write (struct usb_serial
+ 		err("%s - failed submitting write urb, error %d", __FUNCTION__, status);
+ 		count = status;
+ 		kfree (buffer);
++	} else {
++		spin_lock_irqsave(&priv->tx_lock, flags);
++		++priv->tx_outstanding_urbs;
++		priv->tx_outstanding_bytes += count;
++		spin_unlock_irqrestore(&priv->tx_lock, flags);
+ 	}
+ 
+ 	/* we are done with this urb, so let the host driver
+@@ -1460,7 +1481,11 @@ static int ftdi_write (struct usb_serial
+ 
+ static void ftdi_write_bulk_callback (struct urb *urb, struct pt_regs *regs)
+ {
++	unsigned long flags;
+ 	struct usb_serial_port *port = (struct usb_serial_port *)urb->context;
++	struct ftdi_private *priv;
++	int data_offset;       /* will be 1 for the SIO and 0 otherwise */
++	unsigned long countback;
+ 
+ 	/* free up the transfer buffer, as usb_free_urb() does not do this */
+ 	kfree (urb->transfer_buffer);
+@@ -1472,34 +1497,67 @@ static void ftdi_write_bulk_callback (st
+ 		return;
+ 	}
+ 
++	priv = usb_get_serial_port_data(port);
++	if (!priv) {
++		dbg("%s - bad port private data pointer - exiting", __FUNCTION__);
++		return;
++	}
++	/* account for transferred data */
++	countback = urb->actual_length;
++	data_offset = priv->write_offset;
++	if (data_offset > 0) {
++		/* Subtract the control bytes */
++		countback -= (data_offset * ((countback + (PKTSZ - 1)) / PKTSZ));
++	}
++	spin_lock_irqsave(&priv->tx_lock, flags);
++	--priv->tx_outstanding_urbs;
++	priv->tx_outstanding_bytes -= countback;
++	spin_unlock_irqrestore(&priv->tx_lock, flags);
++
+ 	schedule_work(&port->work);
+ } /* ftdi_write_bulk_callback */
+ 
+ 
+ static int ftdi_write_room( struct usb_serial_port *port )
+ {
++	struct ftdi_private *priv = usb_get_serial_port_data(port);
++	int room;
++	unsigned long flags;
++
+ 	dbg("%s - port %d", __FUNCTION__, port->number);
+ 
+-	/*
+-	 * We really can take anything the user throws at us
+-	 * but let's pick a nice big number to tell the tty
+-	 * layer that we have lots of free space
+-	 */
+-	return 2048;
++	spin_lock_irqsave(&priv->tx_lock, flags);
++	if (priv->tx_outstanding_urbs < URB_UPPER_LIMIT) {
++		/*
++		 * We really can take anything the user throws at us
++		 * but let's pick a nice big number to tell the tty
++		 * layer that we have lots of free space
++		 */
++		room = 2048;
++	} else {
++		room = 0;
++	}
++	spin_unlock_irqrestore(&priv->tx_lock, flags);
++	return room;
+ } /* ftdi_write_room */
+ 
+ 
+ static int ftdi_chars_in_buffer (struct usb_serial_port *port)
+ { /* ftdi_chars_in_buffer */
++	struct ftdi_private *priv = usb_get_serial_port_data(port);
++	int buffered;
++	unsigned long flags;
++
+ 	dbg("%s - port %d", __FUNCTION__, port->number);
+ 
+-	/* 
+-	 * We can't really account for how much data we
+-	 * have sent out, but hasn't made it through to the
+-	 * device, so just tell the tty layer that everything
+-	 * is flushed.
+-	 */
+-	return 0;
++	spin_lock_irqsave(&priv->tx_lock, flags);
++	buffered = (int)priv->tx_outstanding_bytes;
++	spin_unlock_irqrestore(&priv->tx_lock, flags);
++	if (buffered < 0) {
++		err("%s outstanding tx bytes is negative!", __FUNCTION__);
++		buffered = 0;
++	}
++	return buffered;
+ } /* ftdi_chars_in_buffer */
+ 
+

More information about the Kernel-svn-changes mailing list