[kernel] r12399 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Nov 18 06:43:14 UTC 2008
Author: dannf
Date: Tue Nov 18 06:43:12 2008
New Revision: 12399
Log:
Fix oops in tvaudio when controlling bass/treble (CVE-2008-5033)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/tvaudio-treble-bass-control-oops.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/11
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Tue Nov 18 06:43:12 2008
@@ -35,8 +35,9 @@
* Fix buffer overflow in hfsplus (CVE-2008-4933)
* Fix BUG() in hfsplus (CVE-2008-4934)
* Fix stack corruption in hfs (CVE-2008-5025)
+ * Fix oops in tvaudio when controlling bass/treble (CVE-2008-5033)
- -- dann frazier <dannf at debian.org> Mon, 17 Nov 2008 09:05:09 -0700
+ -- dann frazier <dannf at debian.org> Mon, 17 Nov 2008 23:14:13 -0700
linux-2.6 (2.6.26-10) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/tvaudio-treble-bass-control-oops.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/tvaudio-treble-bass-control-oops.patch Tue Nov 18 06:43:12 2008
@@ -0,0 +1,126 @@
+commit 01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9
+Author: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Fri Nov 14 10:46:59 2008 -0300
+
+ V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
+
+ This bug were supposed to be fixed by 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1,
+ where a call to NULL happens.
+
+ Not all tvaudio chips allow controlling bass/treble. So, the driver
+ has a table with a flag to indicate if the chip does support it.
+
+ Unfortunately, the handling of this logic were broken for a very long
+ time (probably since the first module version). Due to that, an OOPS
+ were generated for devices that don't support bass/treble.
+
+ This were the resulting OOPS message before the patch, with debug messages
+ enabled:
+
+ tvaudio' 1-005b: VIDIOC_S_CTRL
+ BUG: unable to handle kernel NULL pointer dereference at 00000000
+ IP: [<00000000>]
+ *pde = 22fda067 *pte = 00000000
+ Oops: 0000 [#1] SMP
+ Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
+ snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
+ tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
+ nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
+ ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
+ ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
+ i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
+ iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
+ uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]
+
+ Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
+ EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0
+ EIP is at 0x0
+ EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046
+ ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000)
+ Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
+ f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
+ f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
+ Call Trace:
+ [<f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
+ [<f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
+ [<f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
+ [<f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
+ [<c0560185>] ? device_for_each_child+0x21/0x49
+ [<f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
+ [<f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
+ [<f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
+ [<f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
+ [<f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
+ [<c05abb4e>] ? sock_aio_write+0x100/0x10d
+ [<c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
+ [<c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
+ [<c04f4fa4>] ? copy_from_user+0x39/0x121
+ [<f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
+ [<c04054fd>] ? do_notify_resume+0x768/0x795
+ [<c043c0f7>] ? getnstimeofday+0x34/0xd1
+ [<c0437b77>] ? autoremove_wake_function+0x0/0x33
+ [<f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
+ [<c048c6f0>] ? vfs_ioctl+0x50/0x69
+ [<c048c942>] ? do_vfs_ioctl+0x239/0x24c
+ [<c048c995>] ? sys_ioctl+0x40/0x5b
+ [<c0405bf2>] ? syscall_call+0x7/0xb
+ [<c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
+ =======================
+ Code: Bad EIP value.
+ EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c
+
+ Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/media/video/tvaudio.c linux-source-2.6.26/drivers/media/video/tvaudio.c
+--- linux-source-2.6.26.orig/drivers/media/video/tvaudio.c 2008-11-17 16:42:39.000000000 -0700
++++ linux-source-2.6.26/drivers/media/video/tvaudio.c 2008-11-17 23:25:12.000000000 -0700
+@@ -1589,13 +1589,13 @@ static int tvaudio_get_ctrl(struct CHIPS
+ return 0;
+ }
+ case V4L2_CID_AUDIO_BASS:
+- if (desc->flags & CHIP_HAS_BASSTREBLE)
++ if (!(desc->flags & CHIP_HAS_BASSTREBLE))
+ break;
+ ctrl->value = chip->bass;
+ return 0;
+ case V4L2_CID_AUDIO_TREBLE:
+- if (desc->flags & CHIP_HAS_BASSTREBLE)
+- return -EINVAL;
++ if (!(desc->flags & CHIP_HAS_BASSTREBLE))
++ break;
+ ctrl->value = chip->treble;
+ return 0;
+ }
+@@ -1655,16 +1655,15 @@ static int tvaudio_set_ctrl(struct CHIPS
+ return 0;
+ }
+ case V4L2_CID_AUDIO_BASS:
+- if (desc->flags & CHIP_HAS_BASSTREBLE)
++ if (!(desc->flags & CHIP_HAS_BASSTREBLE))
+ break;
+ chip->bass = ctrl->value;
+ chip_write(chip,desc->bassreg,desc->bassfunc(chip->bass));
+
+ return 0;
+ case V4L2_CID_AUDIO_TREBLE:
+- if (desc->flags & CHIP_HAS_BASSTREBLE)
+- return -EINVAL;
+-
++ if (!(desc->flags & CHIP_HAS_BASSTREBLE))
++ break;
+ chip->treble = ctrl->value;
+ chip_write(chip,desc->treblereg,desc->treblefunc(chip->treble));
+
+@@ -1708,7 +1707,7 @@ static int chip_command(struct i2c_clien
+ break;
+ case V4L2_CID_AUDIO_BASS:
+ case V4L2_CID_AUDIO_TREBLE:
+- if (desc->flags & CHIP_HAS_BASSTREBLE)
++ if (!(desc->flags & CHIP_HAS_BASSTREBLE))
+ return -EINVAL;
+ break;
+ default:
Modified: dists/sid/linux-2.6/debian/patches/series/11
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/11 (original)
+++ dists/sid/linux-2.6/debian/patches/series/11 Tue Nov 18 06:43:12 2008
@@ -5,3 +5,4 @@
+ bugfix/all/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
+ bugfix/all/hfsplus-check_read_mapping_page-return-value.patch
+ bugfix/all/hfs-fix-namelength-memory-corruption.patch
++ bugfix/all/tvaudio-treble-bass-control-oops.patch
More information about the Kernel-svn-changes
mailing list