[kernel] r9059 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Wed Jul 4 14:59:12 UTC 2007

Author: dannf
Date: Wed Jul  4 14:59:11 2007
New Revision: 9059

Log:
* bugfix/usblcd-limit-memory-consumption.patch
  [SECURITY] limit memory consumption during write in the usblcd driver
  See CVE-2007-3513

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jul  4 14:59:11 2007
@@ -6,8 +6,11 @@
   * bugfix/fat-move-ioctl-compat-code.patch, bugfix/fat-fix-compat-ioctls.patch
     [SECURITY] Fix kernel_dirent corruption in the compat layer for fat ioctls
     See CVE-2007-2878
+  * bugfix/usblcd-limit-memory-consumption.patch
+    [SECURITY] limit memory consumption during write in the usblcd driver
+    See CVE-2007-3513
 
- -- dann frazier <dannf at debian.org>  Sat, 23 Jun 2007 18:38:19 +0100
+ -- dann frazier <dannf at debian.org>  Wed, 04 Jul 2007 08:57:36 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch	Wed Jul  4 14:59:11 2007
@@ -0,0 +1,88 @@
+From: Oliver Neukum <oneukum at suse.de>
+Date: Mon, 11 Jun 2007 13:36:02 +0000 (+0200)
+Subject: USB: usblcd doesn't limit memory consumption during write
+X-Git-Tag: v2.6.22-rc7~49^2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5afeb104e7901168b21aad0437fb51dc620dfdd3
+
+USB: usblcd doesn't limit memory consumption during write
+
+usblcd currently has no way to limit memory consumption by fast writers.
+This is a security problem, as it allows users with write access to this
+device to drive the system into oom despite resource limits.
+Here's the fix taken from the modern skeleton driver.
+
+Signed-off-by: Oliver Neukum <oneukum at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/drivers/usb/misc/usblcd.c b/drivers/usb/misc/usblcd.c
+index 887ef95..12bad8a 100644
+--- a/drivers/usb/misc/usblcd.c
++++ b/drivers/usb/misc/usblcd.c
+@@ -42,10 +42,14 @@ struct usb_lcd {
+ 	size_t			bulk_in_size;		/* the size of the receive buffer */
+ 	__u8			bulk_in_endpointAddr;	/* the address of the bulk in endpoint */
+ 	__u8			bulk_out_endpointAddr;	/* the address of the bulk out endpoint */
+-	struct kref             kref;
++	struct kref		kref;
++	struct semaphore	limit_sem;		/* to stop writes at full throttle from
++							 * using up all RAM */
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+ 
++#define USB_LCD_CONCURRENT_WRITES	5
++
+ static struct usb_driver lcd_driver;
+ static DEFINE_MUTEX(usb_lcd_open_mutex);
+ 
+@@ -186,12 +190,13 @@ static void lcd_write_bulk_callback(struct urb *urb)
+ 	/* free up our allocated buffer */
+ 	usb_buffer_free(urb->dev, urb->transfer_buffer_length,
+ 			urb->transfer_buffer, urb->transfer_dma);
++	up(&dev->limit_sem);
+ }
+ 
+ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos)
+ {
+ 	struct usb_lcd *dev;
+-        int retval = 0;
++        int retval = 0, r;
+ 	struct urb *urb = NULL;
+ 	char *buf = NULL;
+ 	
+@@ -201,10 +206,16 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, siz
+ 	if (count == 0)
+ 		goto exit;
+ 
++	r = down_interruptible(&dev->limit_sem);
++	if (r < 0)
++		return -EINTR;
++
+ 	/* create a urb, and a buffer for it, and copy the data to the urb */
+ 	urb = usb_alloc_urb(0, GFP_KERNEL);
+-	if (!urb)
+-		return -ENOMEM;
++	if (!urb) {
++		retval = -ENOMEM;
++		goto err_no_buf;
++	}
+ 	
+ 	buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma);
+ 	if (!buf) {
+@@ -239,6 +250,8 @@ exit:
+ error:
+ 	usb_buffer_free(dev->udev, count, buf, urb->transfer_dma);
+ 	usb_free_urb(urb);
++err_no_buf:
++	up(&dev->limit_sem);
+ 	return retval;
+ }
+ 
+@@ -277,6 +290,7 @@ static int lcd_probe(struct usb_interface *interface, const struct usb_device_id
+ 		goto error;
+ 	}
+ 	kref_init(&dev->kref);
++	sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
+ 
+ 	dev->udev = usb_get_dev(interface_to_usbdev(interface));
+ 	dev->interface = interface;

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch3	Wed Jul  4 14:59:11 2007
@@ -1,3 +1,4 @@
 + bugfix/bluetooth-l2cap-hci-info-leaks.patch
 + bugfix/fat-move-ioctl-compat-code.patch
 + bugfix/fat-fix-compat-ioctls.patch
++ bugfix/usblcd-limit-memory-consumption.patch

