[kernel] r15531 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Apr 22 04:39:04 UTC 2010 

Author: dannf
Date: Thu Apr 22 04:38:58 2010
New Revision: 15531

Log:
USB: usbfs: only copy the actual data received (CVE-2010-1083)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Apr 22 01:56:24 2010	(r15530)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Apr 22 04:38:58 2010	(r15531)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-21lenny5) UNRELEASED; urgency=high
+
+  * USB: usbfs: only copy the actual data received (CVE-2010-1083)
+
+ -- dann frazier <dannf at debian.org>  Wed, 21 Apr 2010 22:37:06 -0600
+
 linux-2.6 (2.6.26-21lenny4) stable-security; urgency=high
 
   [ dann frazier ]

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usbfs-only-copy-received-data.patch	Thu Apr 22 04:38:58 2010	(r15531)
@@ -0,0 +1,47 @@
+Backported to Debian's 2.6.26
+
+commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6
+Author: Greg KH <greg at kroah.com>
+Date:   Mon Feb 15 09:37:46 2010 -0800
+
+    USB: usbfs: only copy the actual data received
+    
+    We need to only copy the data received by the device to userspace, not
+    the whole kernel buffer, which can contain "stale" data.
+    
+    Thanks to Marcus Meissner for pointing this out and testing the fix.
+    
+    Reported-by: Marcus Meissner <meissner at suse.de>
+    Tested-by: Marcus Meissner <meissner at suse.de>
+    Cc: Alan Stern <stern at rowland.harvard.edu>
+    Cc: Linus Torvalds <torvalds at linux-foundation.org>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff -urpN linux-source-2.6.26.orig/drivers/usb/core/devio.c linux-source-2.6.26/drivers/usb/core/devio.c
+--- linux-source-2.6.26.orig/drivers/usb/core/devio.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/usb/core/devio.c	2010-04-16 20:02:20.000000000 -0600
+@@ -1203,9 +1203,9 @@ static int processcompl(struct async *as
+ 	void __user *addr = as->userurb;
+ 	unsigned int i;
+ 
+-	if (as->userbuffer)
++	if (as->userbuffer && urb->actual_length)
+ 		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+-				 urb->transfer_buffer_length))
++				 urb->actual_length))
+ 			return -EFAULT;
+ 	if (put_user(as->status, &userurb->status))
+ 		return -EFAULT;
+@@ -1321,9 +1321,9 @@ static int processcompl_compat(struct as
+ 	void __user *addr = as->userurb;
+ 	unsigned int i;
+ 
+-	if (as->userbuffer)
++	if (as->userbuffer && urb->actual_length)
+ 		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+-				 urb->transfer_buffer_length))
++				 urb->actual_length))
+ 			return -EFAULT;
+ 	if (put_user(as->status, &userurb->status))
+ 		return -EFAULT;

Added: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Thu Apr 22 04:38:58 2010	(r15531)
@@ -0,0 +1 @@
++ bugfix/all/usbfs-only-copy-received-data.patch

More information about the Kernel-svn-changes mailing list