[kernel] r9498 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Sep 11 06:25:52 UTC 2007 

Author: dannf
Date: Tue Sep 11 06:25:52 2007
New Revision: 9498

Log:
* bluetooth-l2cap-hci-info-leaks.dpatch
  [SECURITY] Fix information leaks in setsockopt() implementations
  See CVE-2007-1353

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Sep 11 06:25:52 2007
@@ -16,8 +16,11 @@
   * [SECURITY] Fix potential privilege escalation caused by improper
     clearing of the child process' pdeath signal.
     See CVE-2007-3848
+  * bluetooth-l2cap-hci-info-leaks.dpatch
+    [SECURITY] Fix information leaks in setsockopt() implementations
+    See CVE-2007-1353
 
- -- dann frazier <dannf at debian.org>  Wed, 29 Aug 2007 01:10:46 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 11 Sep 2007 00:24:22 -0600
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch	Tue Sep 11 06:25:52 2007
@@ -0,0 +1,62 @@
+From: Marcel Holtmann <marcel at holtmann.org>
+Date: Fri, 4 May 2007 22:35:59 +0000 (+0200)
+Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+X-Git-Tag: v2.6.22-rc1~822^2~2^2~6
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0878b6667f28772aa7d6b735abff53efc7bf6d91
+
+[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+
+The L2CAP and HCI setsockopt() implementations have a small information
+leak that makes it possible to leak kernel stack memory to userspace.
+
+If the optlen parameter is 0, no data will be copied by copy_from_user(),
+but the uninitialized stack buffer will be read and stored later. A call
+to getsockopt() can now retrieve the leaked information.
+
+To fix this problem the stack buffer given to copy_from_user() must be
+initialized with the current settings.
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c kernel-source-2.6.8/net/bluetooth/hci_sock.c
+--- kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c	2004-08-13 23:37:14.000000000 -0600
++++ kernel-source-2.6.8/net/bluetooth/hci_sock.c	2007-09-11 00:01:19.143775861 -0600
+@@ -471,6 +471,15 @@ int hci_sock_setsockopt(struct socket *s
+ 		break;
+ 
+ 	case HCI_FILTER:
++		{
++			struct hci_filter *f = &hci_pi(sk)->filter;
++
++			uf.type_mask = f->type_mask;
++			uf.opcode    = f->opcode;
++			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
++			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
++		}
++
+ 		len = min_t(unsigned int, len, sizeof(uf));
+ 		if (copy_from_user(&uf, optval, len)) {
+ 			err = -EFAULT;
+diff -urpN kernel-source-2.6.8.orig/net/bluetooth/l2cap.c kernel-source-2.6.8/net/bluetooth/l2cap.c
+--- kernel-source-2.6.8.orig/net/bluetooth/l2cap.c	2004-08-13 23:37:26.000000000 -0600
++++ kernel-source-2.6.8/net/bluetooth/l2cap.c	2007-09-11 00:21:15.495780084 -0600
+@@ -759,11 +759,16 @@ static int l2cap_sock_setsockopt(struct 
+ 
+ 	switch (optname) {
+ 	case L2CAP_OPTIONS:
++		opts.imtu     = l2cap_pi(sk)->imtu;
++		opts.omtu     = l2cap_pi(sk)->omtu;
++		opts.flush_to = l2cap_pi(sk)->flush_to;
++
+ 		len = min_t(unsigned int, sizeof(opts), optlen);
+ 		if (copy_from_user((char *)&opts, optval, len)) {
+ 			err = -EFAULT;
+ 			break;
+ 		}
++
+ 		l2cap_pi(sk)->imtu  = opts.imtu;
+ 		l2cap_pi(sk)->omtu  = opts.omtu;
+ 		break;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Tue Sep 11 06:25:52 2007
@@ -4,3 +4,4 @@
 + ipv4-fib_props-out-of-bounds.dpatch
 + aacraid-ioctl-perm-check.dpatch
 + reset-pdeathsig-on-suid.dpatch 
++ bluetooth-l2cap-hci-info-leaks.dpatch

More information about the Kernel-svn-changes mailing list