[kernel] r9059 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Jul 4 14:59:12 UTC 2007
Author: dannf
Date: Wed Jul 4 14:59:11 2007
New Revision: 9059
Log:
* bugfix/usblcd-limit-memory-consumption.patch
[SECURITY] limit memory consumption during write in the usblcd driver
See CVE-2007-3513
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/12etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Jul 4 14:59:11 2007
@@ -6,8 +6,11 @@
* bugfix/fat-move-ioctl-compat-code.patch, bugfix/fat-fix-compat-ioctls.patch
[SECURITY] Fix kernel_dirent corruption in the compat layer for fat ioctls
See CVE-2007-2878
+ * bugfix/usblcd-limit-memory-consumption.patch
+ [SECURITY] limit memory consumption during write in the usblcd driver
+ See CVE-2007-3513
- -- dann frazier <dannf at debian.org> Sat, 23 Jun 2007 18:38:19 +0100
+ -- dann frazier <dannf at debian.org> Wed, 04 Jul 2007 08:57:36 -0600
linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch Wed Jul 4 14:59:11 2007
@@ -0,0 +1,88 @@
+From: Oliver Neukum <oneukum at suse.de>
+Date: Mon, 11 Jun 2007 13:36:02 +0000 (+0200)
+Subject: USB: usblcd doesn't limit memory consumption during write
+X-Git-Tag: v2.6.22-rc7~49^2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5afeb104e7901168b21aad0437fb51dc620dfdd3
+
+USB: usblcd doesn't limit memory consumption during write
+
+usblcd currently has no way to limit memory consumption by fast writers.
+This is a security problem, as it allows users with write access to this
+device to drive the system into oom despite resource limits.
+Here's the fix taken from the modern skeleton driver.
+
+Signed-off-by: Oliver Neukum <oneukum at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/drivers/usb/misc/usblcd.c b/drivers/usb/misc/usblcd.c
+index 887ef95..12bad8a 100644
+--- a/drivers/usb/misc/usblcd.c
++++ b/drivers/usb/misc/usblcd.c
+@@ -42,10 +42,14 @@ struct usb_lcd {
+ size_t bulk_in_size; /* the size of the receive buffer */
+ __u8 bulk_in_endpointAddr; /* the address of the bulk in endpoint */
+ __u8 bulk_out_endpointAddr; /* the address of the bulk out endpoint */
+- struct kref kref;
++ struct kref kref;
++ struct semaphore limit_sem; /* to stop writes at full throttle from
++ * using up all RAM */
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+
++#define USB_LCD_CONCURRENT_WRITES 5
++
+ static struct usb_driver lcd_driver;
+ static DEFINE_MUTEX(usb_lcd_open_mutex);
+
+@@ -186,12 +190,13 @@ static void lcd_write_bulk_callback(struct urb *urb)
+ /* free up our allocated buffer */
+ usb_buffer_free(urb->dev, urb->transfer_buffer_length,
+ urb->transfer_buffer, urb->transfer_dma);
++ up(&dev->limit_sem);
+ }
+
+ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos)
+ {
+ struct usb_lcd *dev;
+- int retval = 0;
++ int retval = 0, r;
+ struct urb *urb = NULL;
+ char *buf = NULL;
+
+@@ -201,10 +206,16 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, siz
+ if (count == 0)
+ goto exit;
+
++ r = down_interruptible(&dev->limit_sem);
++ if (r < 0)
++ return -EINTR;
++
+ /* create a urb, and a buffer for it, and copy the data to the urb */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+- if (!urb)
+- return -ENOMEM;
++ if (!urb) {
++ retval = -ENOMEM;
++ goto err_no_buf;
++ }
+
+ buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma);
+ if (!buf) {
+@@ -239,6 +250,8 @@ exit:
+ error:
+ usb_buffer_free(dev->udev, count, buf, urb->transfer_dma);
+ usb_free_urb(urb);
++err_no_buf:
++ up(&dev->limit_sem);
+ return retval;
+ }
+
+@@ -277,6 +290,7 @@ static int lcd_probe(struct usb_interface *interface, const struct usb_device_id
+ goto error;
+ }
+ kref_init(&dev->kref);
++ sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
+
+ dev->udev = usb_get_dev(interface_to_usbdev(interface));
+ dev->interface = interface;
Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch3 Wed Jul 4 14:59:11 2007
@@ -1,3 +1,4 @@
+ bugfix/bluetooth-l2cap-hci-info-leaks.patch
+ bugfix/fat-move-ioctl-compat-code.patch
+ bugfix/fat-fix-compat-ioctls.patch
++ bugfix/usblcd-limit-memory-consumption.patch
More information about the Kernel-svn-changes
mailing list