[kernel] r14550 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Wed Nov 4 20:49:16 UTC 2009

Author: dannf
Date: Wed Nov  4 20:49:14 2009
New Revision: 14550

Log:
net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
      - copied unchanged from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Wed Nov  4 20:45:39 2009	(r14549)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Wed Nov  4 20:49:14 2009	(r14550)
@@ -16,6 +16,7 @@
     (CVE-2009-3620)
   * r8169: use hardware auto padding and balance pci_map/pci_unmap
     (CVE-2009-3613)
+  * net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)
 
  -- dann frazier <dannf at debian.org>  Tue, 27 Oct 2009 22:41:25 -0600
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch	Wed Nov  4 20:49:14 2009	(r14550, copy of r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch)
@@ -0,0 +1,54 @@
+From arjan at infradead.org  Thu Oct  1 11:19:55 2009
+From: Arjan van de Ven <arjan at infradead.org>
+Date: Wed, 30 Sep 2009 13:51:11 +0200
+Subject: net ax25: Fix signed comparison in the sockopt handler
+To: davem at davemloft.net
+Cc: jakub at redhat.com, torvalds at linux-foundation.org, mingo at elte.hu, stable at kernel.org
+Message-ID: <20090930135111.64240d86 at infradead.org>
+
+
+From: Arjan van de Ven <arjan at linux.intel.com>
+
+fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
+
+The ax25 code tried to use
+
+        if (optlen < sizeof(int))
+                return -EINVAL;
+
+as a security check against optlen being negative (or zero) in the
+set socket option.
+
+Unfortunately, "sizeof(int)" is an unsigned property, with the
+result that the whole comparison is done in unsigned, letting
+negative values slip through.
+
+This patch changes this to
+
+        if (optlen < (int)sizeof(int))
+                return -EINVAL;
+
+so that the comparison is done as signed, and negative values
+get properly caught.
+
+Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: David S. Miller <davem at davemloft.net>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/ax25/af_ax25.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -538,7 +538,7 @@ static int ax25_setsockopt(struct socket
+ 	if (level != SOL_AX25)
+ 		return -ENOPROTOOPT;
+ 
+-	if (optlen < sizeof(int))
++	if (optlen < (int)sizeof(int))
+ 		return -EINVAL;
+ 
+ 	if (get_user(opt, (int __user *)optval))

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Nov  4 20:45:39 2009	(r14549)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Nov  4 20:49:14 2009	(r14550)
@@ -10,3 +10,4 @@
 + bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
 + bugfix/all/r8169-balance-pci_map-pci_unmap-pair.patch
 + bugfix/all/r8169-use-hardware-auto-padding.patch
++ bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch

