[kernel] r10561 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sun Feb 17 18:29:42 UTC 2008 

Author: dannf
Date: Sun Feb 17 18:29:42 2008
New Revision: 10561

Log:
* 263_usb-pwc-disconnect-block.diff
  [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
  If userspace still has the device open it can result, the driver would
  wait for the device to close, blocking the USB subsystem.
  See CVE-2007-5093

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sun Feb 17 18:29:42 2008
@@ -73,8 +73,13 @@
   * 262_aacraid-ioctl-perm-check.diff
     [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
     See CVE-2007-4308
+  * 263_usb-pwc-disconnect-block.diff
+    [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
+    If userspace still has the device open it can result, the driver would
+    wait for the device to close, blocking the USB subsystem.
+    See CVE-2007-5093
 
- -- dann frazier <dannf at debian.org>  Thu, 14 Feb 2008 14:51:41 -0700
+ -- dann frazier <dannf at debian.org>  Thu, 14 Feb 2008 14:56:01 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff	Sun Feb 17 18:29:42 2008
@@ -0,0 +1,122 @@
+commit 1994e10c56cfb36df0e03090e5c917c973d3df69
+Author: dann frazier <dannf at hp.com>
+Date:   Wed Feb 6 19:06:18 2008 -0700
+
+    2.4: USB: fix DoS in pwc USB video driver
+    
+    This is a 2.4 backport of a linux-2.6 change by Oliver Neukum.
+    (commit 85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d)
+    
+    CVE-2007-5093 was assigned for this issue.
+    This backport has been compile-tested only.
+    
+    Commit log from 2.6 follows.
+    
+      the pwc driver has a disconnect method that waits for user space to
+      close the device. This opens up an opportunity for a DoS attack,
+      blocking the USB subsystem and making khubd's task busy wait in
+      kernel space. This patch shifts freeing resources to close if an opened
+      device is disconnected.
+    
+    Signed-off-by: dann frazier <dannf at hp.com>
+
+diff --git a/drivers/usb/pwc-if.c b/drivers/usb/pwc-if.c
+index e458515..a1c3989 100644
+--- a/drivers/usb/pwc-if.c
++++ b/drivers/usb/pwc-if.c
+@@ -1055,11 +1055,16 @@ static int pwc_video_open(struct video_device *vdev, int mode)
+ 	return 0;
+ }
+ 
++static void pwc_cleanup(struct pwc_device *pdev)
++{
++	video_unregister_device(&pdev->vdev);
++}
++
+ /* Note that all cleanup is done in the reverse order as in _open */
+ static void pwc_video_close(struct video_device *vdev)
+ {
+ 	struct pwc_device *pdev;
+-	int i;
++	int i, hint;
+ 
+ 	Trace(TRACE_OPEN, ">> video_close called(vdev = 0x%p).\n", vdev);
+ 
+@@ -1083,8 +1088,9 @@ static void pwc_video_close(struct video_device *vdev)
+ 	pwc_isoc_cleanup(pdev);
+ 	pwc_free_buffers(pdev);
+ 
++	lock_kernel();
+ 	/* Turn off LEDS and power down camera, but only when not unplugged */
+-	if (pdev->error_status != EPIPE) {
++	if (!pdev->unplugged) {
+ 		if (pwc_set_leds(pdev, 0, 0) < 0)
+ 			Info("Failed to set LED on/off time.\n");
+ 		if (power_save) {
+@@ -1092,9 +1098,18 @@ static void pwc_video_close(struct video_device *vdev)
+ 			if (i < 0) 
+ 				Err("Failed to power down camera (%d)\n", i);
+ 		}
++		pdev->vopen = 0;
++		Trace(TRACE_OPEN, "<< video_close()\n");
++	} else {
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
+ 	}
+-	pdev->vopen = 0;
+-	Trace(TRACE_OPEN, "<< video_close()\n");
++	unlock_kernel();
+ }
+ 
+ /*
+@@ -1897,19 +1912,20 @@ static void usb_pwc_disconnect(struct usb_device *udev, void *ptr)
+ 	/* Alert waiting processes */
+ 	wake_up_interruptible(&pdev->frameq);
+ 	/* Wait until device is closed */
+-	while (pdev->vopen)
+-		schedule();
+-	/* Device is now closed, so we can safely unregister it */
+-	Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
+-	video_unregister_device(&pdev->vdev); 
+-
+-	/* Free memory (don't set pdev to 0 just yet) */
+-	kfree(pdev);
+-
+-	/* search device_hint[] table if we occupy a slot, by any chance */
+-	for (hint = 0; hint < MAX_DEV_HINTS; hint++)
+-		if (device_hint[hint].pdev == pdev)
+-			device_hint[hint].pdev = NULL;
++	if(pdev->vopen) {
++		pdev->unplugged = 1;
++	} else {
++		/* Device is closed, so we can safely unregister it */
++		Trace(TRACE_PROBE, "Unregistering video device in disconnect().\n");
++		pwc_cleanup(pdev);
++		/* Free memory (don't set pdev to 0 just yet) */
++		kfree(pdev);
++	
++		/* search device_hint[] table if we occupy a slot, by any chance */
++		for (hint = 0; hint < MAX_DEV_HINTS; hint++)
++			if (device_hint[hint].pdev == pdev)
++				device_hint[hint].pdev = NULL;
++	}
+ 
+ 	unlock_kernel();
+ }
+diff --git a/drivers/usb/pwc.h b/drivers/usb/pwc.h
+index b020769..999daf2 100644
+--- a/drivers/usb/pwc.h
++++ b/drivers/usb/pwc.h
+@@ -141,6 +141,7 @@ struct pwc_device
+    char vsnapshot;		/* snapshot mode */
+    char vsync;			/* used by isoc handler */
+    char vmirror;		/* for ToUCaM series */
++	char unplugged;
+ 
+    /* The image acquisition requires 3 to 4 steps:
+       1. data is gathered in short packets from the USB controller

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Sun Feb 17 18:29:42 2008
@@ -22,3 +22,4 @@
 + 260_ext2-skip-pages-past-num-blocks.diff
 + 261_listxattr-mem-corruption.diff
 + 262_aacraid-ioctl-perm-check.diff
++ 263_usb-pwc-disconnect-block.diff

More information about the Kernel-svn-changes mailing list