[kernel] r10044 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Jan 6 01:00:32 UTC 2008
Author: dannf
Date: Sun Jan 6 01:00:32 2008
New Revision: 10044
Log:
* bugfix/i4l-isdn_ioctl-mem-overrun.patch
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch
dists/etch-security/linux-2.6/debian/patches/series/17etch1
Modified:
dists/etch-security/linux-2.6/debian/changelog
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Sun Jan 6 01:00:32 2008
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.18.dfsg.1-17etch1) UNRELEASED; urgency=high
+
+ * bugfix/i4l-isdn_ioctl-mem-overrun.patch
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
+
+ -- dann frazier <dannf at debian.org> Sat, 05 Jan 2008 17:27:50 -0700
+
linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high
* [futex] Fix address computation in compat code, fixing hangs
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch Sun Jan 6 01:00:32 2008
@@ -0,0 +1,56 @@
+From: Karsten Keil <kkeil at suse.de>
+Date: Sat, 1 Dec 2007 20:16:15 +0000 (-0800)
+Subject: I4L: fix isdn_ioctl memory overrun vulnerability
+X-Git-Tag: v2.6.24-rc4~16
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
+
+I4L: fix isdn_ioctl memory overrun vulnerability
+
+Fix possible memory overrun issue in the isdn ioctl code.
+
+Found by ADLAB <adlab at venustech.com.cn>
+
+Signed-off-by: Karsten Keil <kkeil at suse.de>
+Cc: ADLAB <adlab at venustech.com.cn>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
+index c6df292..d695295 100644
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
+@@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i < ISDN_MAX_DRIVERS; i++)
+@@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ } else {
+ p = (char __user *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname, sizeof(bname), "%s%s",
+ strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+ dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," : "\0");
+@@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ char *p;
+ if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
Added: dists/etch-security/linux-2.6/debian/patches/series/17etch1
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Sun Jan 6 01:00:32 2008
@@ -0,0 +1 @@
++ bugfix/i4l-isdn_ioctl-mem-overrun.patch
More information about the Kernel-svn-changes
mailing list