[kernel] r14137 - in dists/lenny/linux-2.6/debian: . patches/bugfix/parisc patches/series

Dann Frazier dannf at alioth.debian.org
Wed Aug 19 04:28:27 UTC 2009 

Author: dannf
Date: Wed Aug 19 04:28:24 2009
New Revision: 14137

Log:
[parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch
      - copied unchanged from r14136, dists/sid/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/19

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Mon Aug 17 15:10:38 2009	(r14136)
+++ dists/lenny/linux-2.6/debian/changelog	Wed Aug 19 04:28:24 2009	(r14137)
@@ -6,6 +6,7 @@
 
   [ dann frazier ]
   * aacraid: Fix regression w/ bigmem kernel (Closes: #537771)
+  * [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
 
  -- Moritz Muehlenhoff <jmm at debian.org>  Wed, 05 Aug 2009 22:18:12 +0200
 

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch (from r14136, dists/sid/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch	Wed Aug 19 04:28:24 2009	(r14137, copy of r14136, dists/sid/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch)
@@ -0,0 +1,28 @@
+commit 6b4dbcd86a9d464057fcc7abe4d0574093071fcc
+Author: Michael Buesch <mb at bu3sch.de>
+Date:   Mon Jul 20 22:58:44 2009 +0000
+
+    parisc: isa-eeprom - Fix loff_t usage
+    
+    loff_t is a signed type. If userspace passes a negative ppos, the "count"
+    range check is weakened. "count"s bigger than HPEE_MAX_LENGTH will pass the check.
+    Also, if ppos is negative, the readb(eisa_eeprom_addr + *ppos) will poke in random
+    memory.
+    
+    Signed-off-by: Michael Buesch <mb at bu3sch.de>
+    Cc: stable at kernel.org
+    Signed-off-by: Helge Deller <deller at gmx.de>
+
+diff --git a/drivers/parisc/eisa_eeprom.c b/drivers/parisc/eisa_eeprom.c
+index 685d94e..8c0b26e 100644
+--- a/drivers/parisc/eisa_eeprom.c
++++ b/drivers/parisc/eisa_eeprom.c
+@@ -55,7 +55,7 @@ static ssize_t eisa_eeprom_read(struct file * file,
+ 	ssize_t ret;
+ 	int i;
+ 	
+-	if (*ppos >= HPEE_MAX_LENGTH)
++	if (*ppos < 0 || *ppos >= HPEE_MAX_LENGTH)
+ 		return 0;
+ 	
+ 	count = *ppos + count < HPEE_MAX_LENGTH ? count : HPEE_MAX_LENGTH - *ppos;

Modified: dists/lenny/linux-2.6/debian/patches/series/19
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/19	Mon Aug 17 15:10:38 2009	(r14136)
+++ dists/lenny/linux-2.6/debian/patches/series/19	Wed Aug 19 04:28:24 2009	(r14137)
@@ -1,2 +1,3 @@
 + bugfix/all/input-alps-support-toshiba-satellite-pro-m10.patch
 + bugfix/all/aacraid-driver-update.patch
++ bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch

More information about the Kernel-svn-changes mailing list