[kernel] r5264 - dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches

Simon Horman horms at costa.debian.org
Thu Jan 5 08:13:56 UTC 2006 

Author: horms
Date: Thu Jan  5 08:13:55 2006
New Revision: 5264

Added:
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff
Log:
  * [SECURITY] Information leak in sdla
    From 2.6.6
    See CVE-2004-2607
    200_net_sdla_xfer_leak.diff


Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff
==============================================================================
--- (empty file)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff	Thu Jan  5 08:13:55 2006
@@ -0,0 +1,52 @@
+From: Chris Wright <chrisw at osdl.org>
+Date: Mon, 19 Apr 2004 08:26:30 +0000 (-0400)
+Subject: [PATCH] wan sdla:  fix probable security hole
+X-Git-Tag: v2.6.6-rc2
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2
+
+[PATCH] wan sdla:  fix probable security hole
+
+> [BUG] minor
+> /home/kash/linux/linux-2.6.5/drivers/net/wan/sdla.c:1206:sdla_xfer:
+> ERROR:TAINT: 1201:1206:Passing unbounded user value "(mem).len" as arg 0
+> to function "kmalloc", which uses it unsafely in model
+> [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)]
+> [SINK_MODEL=(lib,kmalloc,user,trustingsink)]  [MINOR]  [PATH=] [Also
+> used at, line 1219 in argument 0 to function "kmalloc"]
+> static int sdla_xfer(struct net_device *dev, struct sdla_mem *info, int
+> read)
+> {
+> 	struct sdla_mem mem;
+> 	char	*temp;
+>
+> Start --->
+> 	if(copy_from_user(&mem, info, sizeof(mem)))
+> 		return -EFAULT;
+>
+> 	if (read)
+> 	{
+> Error --->
+> 		temp = kmalloc(mem.len, GFP_KERNEL);
+> 		if (!temp)
+> 			return(-ENOMEM);
+> 		sdla_read(dev, mem.addr, temp, mem.len);
+
+Hrm, I believe you could use this to read 128k of kernel memory.
+sdla_read() takes len as a short, whereas mem.len is an int.  So,
+if mem.len == 0x20000, the allocation could still succeed.  When cast
+to short, len will be 0x0, causing the read loop to copy nothing into
+the buffer.  At least it's protected by a capable() check.  I don't
+know what proper upper bound is for this hardware, or how much it's
+used/cared about.  Simple memset() is trivial fix.
+---
+
+--- a/drivers/net/wan/sdla.c
++++ b/drivers/net/wan/sdla.c
+@@ -1206,6 +1206,7 @@ static int sdla_xfer(struct net_device *
+ 		temp = kmalloc(mem.len, GFP_KERNEL);
+ 		if (!temp)
+ 			return(-ENOMEM);
++		memset(temp, 0, mem.len);
+ 		sdla_read(dev, mem.addr, temp, mem.len);
+ 		if(copy_to_user(mem.data, temp, mem.len))
+ 		{

More information about the Kernel-svn-changes mailing list