[kernel] r15556 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Apr 27 05:32:23 UTC 2010
Author: dannf
Date: Tue Apr 27 05:32:20 2010
New Revision: 15556
Log:
Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Apr 25 22:58:27 2010 (r15555)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Apr 27 05:32:20 2010 (r15556)
@@ -3,6 +3,7 @@
[ dann frazier ]
* USB: usbfs: only copy the actual data received (CVE-2010-1083)
* GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
+ * Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
[ Ben Hutchings ]
* [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch Tue Apr 27 05:32:20 2010 (r15556)
@@ -0,0 +1,141 @@
+commit cd17994006d51c3d1d7d8e248fc76137e71e858b
+Author: Marcel Holtmann <marcel at holtmann.org>
+Date: Mon Mar 15 14:12:58 2010 -0700
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+ Bluetooth: Fix potential bad memory access with sysfs files
+
+ When creating a high number of Bluetooth sockets (L2CAP, SCO
+ and RFCOMM) it is possible to scribble repeatedly on arbitrary
+ pages of memory. Ensure that the content of these sysfs files is
+ always less than one page. Even if this means truncating. The
+ files in question are scheduled to be moved over to debugfs in
+ the future anyway.
+
+ Based on initial patches from Neil Brown and Linus Torvalds
+
+ Reported-by: Neil Brown <neilb at suse.de>
+ Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 6e180d2..ea113a3 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2270,16 +2270,24 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&l2cap_sk_list.lock);
+
+ sk_for_each(sk, node, &l2cap_sk_list.head) {
+ struct l2cap_pinfo *pi = l2cap_pi(sk);
++ int len;
+
+- str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
++ len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
+ pi->imtu, pi->omtu, pi->link_mode);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&l2cap_sk_list.lock);
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
+index 0c2c937..571f913 100644
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -2013,6 +2013,7 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ struct rfcomm_session *s;
+ struct list_head *pp, *p;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ rfcomm_lock();
+
+@@ -2021,11 +2022,21 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ list_for_each(pp, &s->dlcs) {
+ struct sock *sk = s->sock->sk;
+ struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
++ int len;
+
+- str += sprintf(str, "%s %s %ld %d %d %d %d\n",
++ len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
++
++ if (size <= 0)
++ break;
+ }
+
+ rfcomm_unlock();
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 5083adc..b90954a 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -894,13 +894,22 @@ static ssize_t rfcomm_sock_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&rfcomm_sk_list.lock);
+
+ sk_for_each(sk, node, &rfcomm_sk_list.head) {
+- str += sprintf(str, "%s %s %d %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, rfcomm_pi(sk)->channel);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&rfcomm_sk_list.lock);
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index b0d487e..fbd9049 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -893,13 +893,22 @@ static ssize_t sco_sysfs_show(struct class *dev, char *buf)
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&sco_sk_list.lock);
+
+ sk_for_each(sk, node, &sco_sk_list.head) {
+- str += sprintf(str, "%s %s %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&sco_sk_list.lock);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Sun Apr 25 22:58:27 2010 (r15555)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Tue Apr 27 05:32:20 2010 (r15556)
@@ -4,3 +4,4 @@
+ bugfix/all/r8169-Fix-receive-buffer-length.patch
+ bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
+ bugfix/all/r8169-clean-up-my-printk-uglyness.patch
++ bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
More information about the Kernel-svn-changes
mailing list