[kernel] r14810 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 24 07:28:12 UTC 2009
Author: dannf
Date: Thu Dec 24 07:28:09 2009
New Revision: 14810
Log:
firewire: ohci: handle receive packets with a data length of zero
(CVE-2009-4138)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/21
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Dec 24 07:14:00 2009 (r14809)
+++ dists/lenny/linux-2.6/debian/changelog Thu Dec 24 07:28:09 2009 (r14810)
@@ -34,6 +34,8 @@
(CVE-2009-2691)
* hfs: fix a potential buffer overflow (CVE-2009-4020)
* KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)
+ * firewire: ohci: handle receive packets with a data length of zero
+ (CVE-2009-4138)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 24 Oct 2009 23:45:45 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch Thu Dec 24 07:28:09 2009 (r14810)
@@ -0,0 +1,55 @@
+commit 8c0c0cc2d9f4c523fde04bdfe41e4380dec8ee54
+Author: Jay Fenlason <fenlason at redhat.com>
+Date: Fri Dec 11 14:23:58 2009 -0500
+
+ firewire: ohci: handle receive packets with a data length of zero
+
+ Queueing to receive an ISO packet with a payload length of zero
+ silently does nothing in dualbuffer mode, and crashes the kernel in
+ packet-per-buffer mode. Return an error in dualbuffer mode, because
+ the DMA controller won't let us do what we want, and work correctly in
+ packet-per-buffer mode.
+
+ Signed-off-by: Jay Fenlason <fenlason at redhat.com>
+ Signed-off-by: Stefan Richter <stefanr at s5r6.in-berlin.de>
+ Cc: stable at kernel.org
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/firewire/fw-ohci.c linux-source-2.6.26/drivers/firewire/fw-ohci.c
+--- linux-source-2.6.26.orig/drivers/firewire/fw-ohci.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/firewire/fw-ohci.c 2009-12-24 00:20:17.000000000 -0700
+@@ -2142,6 +2142,13 @@ ohci_queue_iso_receive_dualbuffer(struct
+ page = payload >> PAGE_SHIFT;
+ offset = payload & ~PAGE_MASK;
+ rest = p->payload_length;
++ /*
++ * The controllers I've tested have not worked correctly when
++ * second_req_count is zero. Rather than do something we know won't
++ * work, return an error
++ */
++ if (rest == 0)
++ return -EINVAL;
+
+ /* FIXME: make packet-per-buffer/dual-buffer a context option */
+ while (rest > 0) {
+@@ -2195,7 +2202,7 @@ ohci_queue_iso_receive_packet_per_buffer
+ unsigned long payload)
+ {
+ struct iso_context *ctx = container_of(base, struct iso_context, base);
+- struct descriptor *d = NULL, *pd = NULL;
++ struct descriptor *d, *pd;
+ struct fw_iso_packet *p = packet;
+ dma_addr_t d_bus, page_bus;
+ u32 z, header_z, rest;
+@@ -2233,8 +2240,9 @@ ohci_queue_iso_receive_packet_per_buffer
+ d->data_address = cpu_to_le32(d_bus + (z * sizeof(*d)));
+
+ rest = payload_per_buffer;
++ pd = d;
+ for (j = 1; j < z; j++) {
+- pd = d + j;
++ pd++;
+ pd->control = cpu_to_le16(DESCRIPTOR_STATUS |
+ DESCRIPTOR_INPUT_MORE);
+
Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 24 07:14:00 2009 (r14809)
+++ dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 24 07:28:09 2009 (r14810)
@@ -39,3 +39,4 @@
+ bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
+ bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
+ bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
++ bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
More information about the Kernel-svn-changes
mailing list