[kernel] r5366 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at costa.debian.org
Sun Jan 8 23:56:50 UTC 2006
Author: dannf
Date: Sun Jan 8 23:56:48 2006
New Revision: 5366
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* fs_coda_coverty.dpatch:
[SECURITY] Add bounds checking to coda fs.
See CVE-2005-0124
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Jan 8 23:56:48 2006
@@ -157,7 +157,11 @@
an issued URB request completes.
See CVE-2005-3055
- -- dann frazier <dannf at debian.org> Sun, 8 Jan 2006 15:08:21 -0700
+ * fs_coda_coverty.dpatch:
+ [SECURITY] Add bounds checking to coda fs.
+ See CVE-2005-0124
+
+ -- dann frazier <dannf at debian.org> Sun, 8 Jan 2006 16:54:46 -0700
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs_coda_coverty.dpatch Sun Jan 8 23:56:48 2006
@@ -0,0 +1,83 @@
+diff -Naru a/fs/coda/upcall.c b/fs/coda/upcall.c
+--- a/fs/coda/upcall.c 2006-01-08 15:47:52 -08:00
++++ b/fs/coda/upcall.c 2006-01-08 15:47:52 -08:00
+@@ -555,6 +555,11 @@
+ goto exit;
+ }
+
++ if (data->vi.out_size > VC_MAXDATASIZE) {
++ error = -EINVAL;
++ goto exit;
++ }
++
+ inp->coda_ioctl.VFid = *fid;
+
+ /* the cmd field was mutated by increasing its size field to
+@@ -583,18 +588,25 @@
+ error, coda_f2s(fid));
+ goto exit;
+ }
++
++ if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) {
++ error = -EINVAL;
++ goto exit;
++ }
+
+ /* Copy out the OUT buffer. */
+ if (outp->coda_ioctl.len > data->vi.out_size) {
+ error = -EINVAL;
+- } else {
+- if (copy_to_user(data->vi.out,
+- (char *)outp + (long)outp->coda_ioctl.data,
+- data->vi.out_size)) {
+- error = -EFAULT;
+- goto exit;
+- }
++ goto exit;
+ }
++
++ /* Copy out the OUT buffer. */
++ if (copy_to_user(data->vi.out,
++ (char *)outp + (long)outp->coda_ioctl.data,
++ outp->coda_ioctl.len)) {
++ error = -EFAULT;
++ goto exit;
++ }
+
+ exit:
+ CODA_FREE(inp, insize);
+diff -Naru a/include/linux/coda.h b/include/linux/coda.h
+--- a/include/linux/coda.h 2006-01-08 15:47:52 -08:00
++++ b/include/linux/coda.h 2006-01-08 15:47:52 -08:00
+@@ -761,8 +761,8 @@
+ struct ViceIoctl {
+ void __user *in; /* Data to be transferred in */
+ void __user *out; /* Data to be transferred out */
+- short in_size; /* Size of input buffer <= 2K */
+- short out_size; /* Maximum size of output buffer, <= 2K */
++ u_short in_size; /* Size of input buffer <= 2K */
++ u_short out_size; /* Maximum size of output buffer, <= 2K */
+ };
+
+ struct PioctlData {
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 09:26:36-08:00 jaharkes at cs.cmu.edu
+# [PATCH] coda: bounds checking
+#
+# This patch adds bounds checks for tainted scalars (reported by Brian Fulton
+# and Ted Unangst, Coverity Inc.).
+#
+# Signed-off-by: Jan Harkes <jaharkes at cs.cmu.edu>
+# Signed-off-by: Andrew Morton <akpm at osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+#
+# fs/coda/upcall.c
+# 2005/01/10 17:29:40-08:00 jaharkes at cs.cmu.edu +19 -7
+# coda: bounds checking
+#
+# include/linux/coda.h
+# 2005/01/10 17:29:40-08:00 jaharkes at cs.cmu.edu +2 -2
+# coda: bounds checking
+#
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 Sun Jan 8 23:56:48 2006
@@ -28,3 +28,4 @@
+ ptrace-fix_self-attach_rule.dpatch
+ async-urb-delivery-oops.dpatch
+ async-urb-delivery-oops-2.dpatch
++ fs_coda_coverty.dpatch
More information about the Kernel-svn-changes
mailing list