[kernel] r15556 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue Apr 27 05:32:23 UTC 2010

Author: dannf
Date: Tue Apr 27 05:32:20 2010
New Revision: 15556

Log:
Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny5

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sun Apr 25 22:58:27 2010	(r15555)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Apr 27 05:32:20 2010	(r15556)
@@ -3,6 +3,7 @@
   [ dann frazier ]
   * USB: usbfs: only copy the actual data received (CVE-2010-1083)
   * GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
+  * Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
 
   [ Ben Hutchings ]
   * [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch	Tue Apr 27 05:32:20 2010	(r15556)
@@ -0,0 +1,141 @@
+commit cd17994006d51c3d1d7d8e248fc76137e71e858b
+Author: Marcel Holtmann <marcel at holtmann.org>
+Date:   Mon Mar 15 14:12:58 2010 -0700
+
+    Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+    
+    Bluetooth: Fix potential bad memory access with sysfs files
+    
+    When creating a high number of Bluetooth sockets (L2CAP, SCO
+    and RFCOMM) it is possible to scribble repeatedly on arbitrary
+    pages of memory. Ensure that the content of these sysfs files is
+    always less than one page. Even if this means truncating. The
+    files in question are scheduled to be moved over to debugfs in
+    the future anyway.
+    
+    Based on initial patches from Neil Brown and Linus Torvalds
+    
+    Reported-by: Neil Brown <neilb at suse.de>
+    Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 6e180d2..ea113a3 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2270,16 +2270,24 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
+ 	struct sock *sk;
+ 	struct hlist_node *node;
+ 	char *str = buf;
++	int size = PAGE_SIZE;
+ 
+ 	read_lock_bh(&l2cap_sk_list.lock);
+ 
+ 	sk_for_each(sk, node, &l2cap_sk_list.head) {
+ 		struct l2cap_pinfo *pi = l2cap_pi(sk);
++		int len;
+ 
+-		str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
++		len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
+ 				batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ 				sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
+ 				pi->imtu, pi->omtu, pi->link_mode);
++
++		size -= len;
++		if (size <= 0)
++			break;
++
++		str += len;
+ 	}
+ 
+ 	read_unlock_bh(&l2cap_sk_list.lock);
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
+index 0c2c937..571f913 100644
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -2013,6 +2013,7 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ 	struct rfcomm_session *s;
+ 	struct list_head *pp, *p;
+ 	char *str = buf;
++	int size = PAGE_SIZE;
+ 
+ 	rfcomm_lock();
+ 
+@@ -2021,11 +2022,21 @@ static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
+ 		list_for_each(pp, &s->dlcs) {
+ 			struct sock *sk = s->sock->sk;
+ 			struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
++			int len;
+ 
+-			str += sprintf(str, "%s %s %ld %d %d %d %d\n",
++			len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
+ 					batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ 					d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
++
++			size -= len;
++			if (size <= 0)
++				break;
++
++			str += len;
+ 		}
++
++		if (size <= 0)
++			break;
+ 	}
+ 
+ 	rfcomm_unlock();
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 5083adc..b90954a 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -894,13 +894,22 @@ static ssize_t rfcomm_sock_sysfs_show(struct class *dev, char *buf)
+ 	struct sock *sk;
+ 	struct hlist_node *node;
+ 	char *str = buf;
++	int size = PAGE_SIZE;
+ 
+ 	read_lock_bh(&rfcomm_sk_list.lock);
+ 
+ 	sk_for_each(sk, node, &rfcomm_sk_list.head) {
+-		str += sprintf(str, "%s %s %d %d\n",
++		int len;
++
++		len = snprintf(str, size, "%s %s %d %d\n",
+ 				batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ 				sk->sk_state, rfcomm_pi(sk)->channel);
++
++		size -= len;
++		if (size <= 0)
++			break;
++
++		str += len;
+ 	}
+ 
+ 	read_unlock_bh(&rfcomm_sk_list.lock);
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index b0d487e..fbd9049 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -893,13 +893,22 @@ static ssize_t sco_sysfs_show(struct class *dev, char *buf)
+ 	struct sock *sk;
+ 	struct hlist_node *node;
+ 	char *str = buf;
++	int size = PAGE_SIZE;
+ 
+ 	read_lock_bh(&sco_sk_list.lock);
+ 
+ 	sk_for_each(sk, node, &sco_sk_list.head) {
+-		str += sprintf(str, "%s %s %d\n",
++		int len;
++
++		len = snprintf(str, size, "%s %s %d\n",
+ 				batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ 				sk->sk_state);
++
++		size -= len;
++		if (size <= 0)
++			break;
++
++		str += len;
+ 	}
+ 
+ 	read_unlock_bh(&sco_sk_list.lock);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Sun Apr 25 22:58:27 2010	(r15555)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Tue Apr 27 05:32:20 2010	(r15556)
@@ -4,3 +4,4 @@
 + bugfix/all/r8169-Fix-receive-buffer-length.patch
 + bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
 + bugfix/all/r8169-clean-up-my-printk-uglyness.patch
++ bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch

