[kernel] r5264 -
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches
Simon Horman
horms at costa.debian.org
Thu Jan 5 08:13:56 UTC 2006
Author: horms
Date: Thu Jan 5 08:13:55 2006
New Revision: 5264
Added:
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff
Log:
* [SECURITY] Information leak in sdla
From 2.6.6
See CVE-2004-2607
200_net_sdla_xfer_leak.diff
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff
==============================================================================
--- (empty file)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff Thu Jan 5 08:13:55 2006
@@ -0,0 +1,52 @@
+From: Chris Wright <chrisw at osdl.org>
+Date: Mon, 19 Apr 2004 08:26:30 +0000 (-0400)
+Subject: [PATCH] wan sdla: fix probable security hole
+X-Git-Tag: v2.6.6-rc2
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2
+
+[PATCH] wan sdla: fix probable security hole
+
+> [BUG] minor
+> /home/kash/linux/linux-2.6.5/drivers/net/wan/sdla.c:1206:sdla_xfer:
+> ERROR:TAINT: 1201:1206:Passing unbounded user value "(mem).len" as arg 0
+> to function "kmalloc", which uses it unsafely in model
+> [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
+> [SINK_MODEL=(lib,kmalloc,user,trustingsink)] [MINOR] [PATH=] [Also
+> used at, line 1219 in argument 0 to function "kmalloc"]
+> static int sdla_xfer(struct net_device *dev, struct sdla_mem *info, int
+> read)
+> {
+> struct sdla_mem mem;
+> char *temp;
+>
+> Start --->
+> if(copy_from_user(&mem, info, sizeof(mem)))
+> return -EFAULT;
+>
+> if (read)
+> {
+> Error --->
+> temp = kmalloc(mem.len, GFP_KERNEL);
+> if (!temp)
+> return(-ENOMEM);
+> sdla_read(dev, mem.addr, temp, mem.len);
+
+Hrm, I believe you could use this to read 128k of kernel memory.
+sdla_read() takes len as a short, whereas mem.len is an int. So,
+if mem.len == 0x20000, the allocation could still succeed. When cast
+to short, len will be 0x0, causing the read loop to copy nothing into
+the buffer. At least it's protected by a capable() check. I don't
+know what proper upper bound is for this hardware, or how much it's
+used/cared about. Simple memset() is trivial fix.
+---
+
+--- a/drivers/net/wan/sdla.c
++++ b/drivers/net/wan/sdla.c
+@@ -1206,6 +1206,7 @@ static int sdla_xfer(struct net_device *
+ temp = kmalloc(mem.len, GFP_KERNEL);
+ if (!temp)
+ return(-ENOMEM);
++ memset(temp, 0, mem.len);
+ sdla_read(dev, mem.addr, temp, mem.len);
+ if(copy_to_user(mem.data, temp, mem.len))
+ {
More information about the Kernel-svn-changes
mailing list