[kernel] r10538 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Thu Feb 14 03:21:31 UTC 2008 

Author: dannf
Date: Thu Feb 14 03:21:29 2008
New Revision: 10538

Log:
* usb-pwc-disconnect-block.dpatch
  [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
  If userspace still has the device open it can result, the driver would
  wait for the device to close, blocking the USB subsystem.
  See CVE-2007-5093

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Thu Feb 14 03:21:29 2008
@@ -56,8 +56,13 @@
   * amd64-zero-extend-32bit-ptrace.dpatch
     [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
     See CVE-2007-4573
+  * usb-pwc-disconnect-block.dpatch
+    [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
+    If userspace still has the device open it can result, the driver would
+    wait for the device to close, blocking the USB subsystem.
+    See CVE-2007-5093
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 19:59:45 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 20:20:12 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Thu Feb 14 03:21:29 2008
@@ -15,3 +15,4 @@
 + cifs-honor-umask.dpatch
 + hugetlb-prio_tree-unit-fix.dpatch
 + amd64-zero-extend-32bit-ptrace.dpatch
++ usb-pwc-disconnect-block.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch	Thu Feb 14 03:21:29 2008
@@ -0,0 +1,121 @@
+From: Oliver Neukum <oneukum at suse.de>
+Date: Tue, 21 Aug 2007 05:10:42 +0000 (+0200)
+Subject: USB: fix DoS in pwc USB video driver
+X-Git-Tag: v2.6.23-rc4~29^2~8
+X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d
+
+USB: fix DoS in pwc USB video driver
+
+the pwc driver has a disconnect method that waits for user space to
+close the device. This opens up an opportunity for a DoS attack,
+blocking the USB subsystem and making khubd's task busy wait in
+kernel space. This patch shifts freeing resources to close if an opened
+device is disconnected.
+
+Signed-off-by: Oliver Neukum <oneukum at suse.de>
+CC: stable <stable at kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc.h kernel-source-2.6.8/drivers/usb/media/pwc.h
+--- kernel-source-2.6.8.orig/drivers/usb/media/pwc.h	2004-08-13 23:37:15.000000000 -0600
++++ kernel-source-2.6.8/drivers/usb/media/pwc.h	2008-02-13 20:05:47.000000000 -0700
+@@ -144,6 +144,7 @@ struct pwc_device
+    char vsnapshot;		/* snapshot mode */
+    char vsync;			/* used by isoc handler */
+    char vmirror;		/* for ToUCaM series */
++	char unplugged;
+    
+    int cmd_len;
+    unsigned char cmd_buf[13];
+diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c kernel-source-2.6.8/drivers/usb/media/pwc-if.c
+--- kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c	2004-08-13 23:37:38.000000000 -0600
++++ kernel-source-2.6.8/drivers/usb/media/pwc-if.c	2008-02-13 20:14:17.000000000 -0700
+@@ -1084,12 +1084,18 @@ static int pwc_video_open(struct inode *
+ 	return 0;
+ }
+ 
++
++static void pwc_cleanup(struct pwc_device *pdev)
++{
++	video_unregister_device(pdev->vdev);
++}
++
+ /* Note that all cleanup is done in the reverse order as in _open */
+ static int pwc_video_close(struct inode *inode, struct file *file)
+ {
+ 	struct video_device *vdev = file->private_data;
+ 	struct pwc_device *pdev;
+-	int i;
++	int i, hint;
+ 
+ 	Trace(TRACE_OPEN, ">> video_close called(vdev = 0x%p).\n", vdev);
+ 
+@@ -1113,8 +1119,9 @@ static int pwc_video_close(struct inode 
+ 	pwc_isoc_cleanup(pdev);
+ 	pwc_free_buffers(pdev);
+ 
++	lock_kernel();
+ 	/* Turn off LEDS and power down camera, but only when not unplugged */
+-	if (pdev->error_status != EPIPE) {
++	if (!pdev->unplugged) {
+ 		/* Turn LEDs off */
+ 		if (pwc_set_leds(pdev, 0, 0) < 0)
+ 			Info("Failed to set LED on/off time.\n");
+@@ -1123,9 +1130,18 @@ static int pwc_video_close(struct inode 
+ 			if (i < 0)
+ 				Err("Failed to power down camera (%d)\n", i);
+ 		}
++		pdev->vopen = 0;
++		Trace(TRACE_OPEN, "<< video_close()\n");
++	} else {
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
+ 	}
+-	pdev->vopen = 0;
+-	Trace(TRACE_OPEN, "<< video_close()\n");
++	unlock_kernel();
+ 	return 0;
+ }
+ 
+@@ -1972,20 +1988,21 @@ static void usb_pwc_disconnect(struct us
+ 	/* Alert waiting processes */
+ 	wake_up_interruptible(&pdev->frameq);
+ 	/* Wait until device is closed */
+-	while (pdev->vopen)
+-		schedule();
+-	/* Device is now closed, so we can safely unregister it */
+-	Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
+-	video_unregister_device(pdev->vdev);
+-
+-	/* Free memory (don't set pdev to 0 just yet) */
+-	kfree(pdev);
++	if(pdev->vopen) {
++		pdev->unplugged = 1;
++	} else {
++		/* Device is closed, so we can safely unregister it */
++		Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
+ 
+ disconnect_out:
+-	/* search device_hint[] table if we occupy a slot, by any chance */
+-	for (hint = 0; hint < MAX_DEV_HINTS; hint++)
+-		if (device_hint[hint].pdev == pdev)
+-			device_hint[hint].pdev = NULL;
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
++	}
+ 
+ 	unlock_kernel();
+ }

More information about the Kernel-svn-changes mailing list