[kernel] r5366 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Jan 8 23:56:50 UTC 2006 

Author: dannf
Date: Sun Jan  8 23:56:48 2006
New Revision: 5366

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* fs_coda_coverty.dpatch:
  [SECURITY] Add bounds checking to coda fs.
  See CVE-2005-0124

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Jan  8 23:56:48 2006
@@ -157,7 +157,11 @@
     an issued URB request completes.
     See CVE-2005-3055
 
- -- dann frazier <dannf at debian.org>  Sun,  8 Jan 2006 15:08:21 -0700
+  * fs_coda_coverty.dpatch:
+    [SECURITY] Add bounds checking to coda fs.
+    See CVE-2005-0124
+
+ -- dann frazier <dannf at debian.org>  Sun,  8 Jan 2006 16:54:46 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch	Sun Jan  8 23:56:48 2006
@@ -0,0 +1,83 @@
+diff -Naru a/fs/coda/upcall.c b/fs/coda/upcall.c
+--- a/fs/coda/upcall.c	2006-01-08 15:47:52 -08:00
++++ b/fs/coda/upcall.c	2006-01-08 15:47:52 -08:00
+@@ -555,6 +555,11 @@
+ 		goto exit;
+         }
+ 
++        if (data->vi.out_size > VC_MAXDATASIZE) {
++		error = -EINVAL;
++		goto exit;
++	}
++
+         inp->coda_ioctl.VFid = *fid;
+     
+         /* the cmd field was mutated by increasing its size field to
+@@ -583,18 +588,25 @@
+ 		       error, coda_f2s(fid));
+ 		goto exit; 
+ 	}
++
++	if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) {
++		error = -EINVAL;
++		goto exit;
++	}
+         
+ 	/* Copy out the OUT buffer. */
+         if (outp->coda_ioctl.len > data->vi.out_size) {
+ 		error = -EINVAL;
+-        } else {
+-		if (copy_to_user(data->vi.out, 
+-				 (char *)outp + (long)outp->coda_ioctl.data, 
+-				 data->vi.out_size)) {
+-			error = -EFAULT;
+-			goto exit;
+-		}
++		goto exit;
+         }
++
++	/* Copy out the OUT buffer. */
++	if (copy_to_user(data->vi.out,
++			 (char *)outp + (long)outp->coda_ioctl.data,
++			 outp->coda_ioctl.len)) {
++		error = -EFAULT;
++		goto exit;
++	}
+ 
+  exit:
+ 	CODA_FREE(inp, insize);
+diff -Naru a/include/linux/coda.h b/include/linux/coda.h
+--- a/include/linux/coda.h	2006-01-08 15:47:52 -08:00
++++ b/include/linux/coda.h	2006-01-08 15:47:52 -08:00
+@@ -761,8 +761,8 @@
+ struct ViceIoctl {
+         void __user *in;        /* Data to be transferred in */
+         void __user *out;       /* Data to be transferred out */
+-        short in_size;          /* Size of input buffer <= 2K */
+-        short out_size;         /* Maximum size of output buffer, <= 2K */
++        u_short in_size;        /* Size of input buffer <= 2K */
++        u_short out_size;       /* Maximum size of output buffer, <= 2K */
+ };
+ 
+ struct PioctlData {
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/11 09:26:36-08:00 jaharkes at cs.cmu.edu 
+#   [PATCH] coda: bounds checking
+#   
+#   This patch adds bounds checks for tainted scalars (reported by Brian Fulton
+#   and Ted Unangst, Coverity Inc.).
+#   
+#   Signed-off-by: Jan Harkes <jaharkes at cs.cmu.edu>
+#   Signed-off-by: Andrew Morton <akpm at osdl.org>
+#   Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+# 
+# fs/coda/upcall.c
+#   2005/01/10 17:29:40-08:00 jaharkes at cs.cmu.edu +19 -7
+#   coda: bounds checking
+# 
+# include/linux/coda.h
+#   2005/01/10 17:29:40-08:00 jaharkes at cs.cmu.edu +2 -2
+#   coda: bounds checking
+# 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	Sun Jan  8 23:56:48 2006
@@ -28,3 +28,4 @@
 + ptrace-fix_self-attach_rule.dpatch
 + async-urb-delivery-oops.dpatch
 + async-urb-delivery-oops-2.dpatch
++ fs_coda_coverty.dpatch

More information about the Kernel-svn-changes mailing list