[kernel] r14810 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Thu Dec 24 07:28:09 2009
New Revision: 14810

Log:
firewire: ohci: handle receive packets with a data length of zero
(CVE-2009-4138)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/21

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Thu Dec 24 07:14:00 2009	(r14809)
+++ dists/lenny/linux-2.6/debian/changelog	Thu Dec 24 07:28:09 2009	(r14810)
@@ -34,6 +34,8 @@
     (CVE-2009-2691)
   * hfs: fix a potential buffer overflow (CVE-2009-4020)
   * KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)
+  * firewire: ohci: handle receive packets with a data length of zero
+    (CVE-2009-4138)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 24 Oct 2009 23:45:45 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch	Thu Dec 24 07:28:09 2009	(r14810)
@@ -0,0 +1,55 @@
+commit 8c0c0cc2d9f4c523fde04bdfe41e4380dec8ee54
+Author: Jay Fenlason <fenlason at redhat.com>
+Date:   Fri Dec 11 14:23:58 2009 -0500
+
+    firewire: ohci: handle receive packets with a data length of zero
+    
+    Queueing to receive an ISO packet with a payload length of zero
+    silently does nothing in dualbuffer mode, and crashes the kernel in
+    packet-per-buffer mode.  Return an error in dualbuffer mode, because
+    the DMA controller won't let us do what we want, and work correctly in
+    packet-per-buffer mode.
+    
+    Signed-off-by: Jay Fenlason <fenlason at redhat.com>
+    Signed-off-by: Stefan Richter <stefanr at s5r6.in-berlin.de>
+    Cc: stable at kernel.org
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/firewire/fw-ohci.c linux-source-2.6.26/drivers/firewire/fw-ohci.c
+--- linux-source-2.6.26.orig/drivers/firewire/fw-ohci.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/firewire/fw-ohci.c	2009-12-24 00:20:17.000000000 -0700
+@@ -2142,6 +2142,13 @@ ohci_queue_iso_receive_dualbuffer(struct
+ 	page     = payload >> PAGE_SHIFT;
+ 	offset   = payload & ~PAGE_MASK;
+ 	rest     = p->payload_length;
++	/*
++	 * The controllers I've tested have not worked correctly when
++	 * second_req_count is zero.  Rather than do something we know won't
++	 * work, return an error
++	 */
++	if (rest == 0)
++		return -EINVAL;
+ 
+ 	/* FIXME: make packet-per-buffer/dual-buffer a context option */
+ 	while (rest > 0) {
+@@ -2195,7 +2202,7 @@ ohci_queue_iso_receive_packet_per_buffer
+ 					 unsigned long payload)
+ {
+ 	struct iso_context *ctx = container_of(base, struct iso_context, base);
+-	struct descriptor *d = NULL, *pd = NULL;
++	struct descriptor *d, *pd;
+ 	struct fw_iso_packet *p = packet;
+ 	dma_addr_t d_bus, page_bus;
+ 	u32 z, header_z, rest;
+@@ -2233,8 +2240,9 @@ ohci_queue_iso_receive_packet_per_buffer
+ 		d->data_address = cpu_to_le32(d_bus + (z * sizeof(*d)));
+ 
+ 		rest = payload_per_buffer;
++		pd = d;
+ 		for (j = 1; j < z; j++) {
+-			pd = d + j;
++			pd++;
+ 			pd->control = cpu_to_le16(DESCRIPTOR_STATUS |
+ 						  DESCRIPTOR_INPUT_MORE);
+ 

Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec 24 07:14:00 2009	(r14809)
+++ dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec 24 07:28:09 2009	(r14810)
@@ -39,3 +39,4 @@
 + bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
 + bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
 + bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
++ bugfix/all/firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch