[kernel] r16088 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/parisc patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 5 18:02:12 UTC 2010 

Author: dannf
Date: Thu Aug  5 18:01:44 2010
New Revision: 16088

Log:
[parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Aug  5 17:30:35 2010	(r16087)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Aug  5 18:01:44 2010	(r16088)
@@ -6,6 +6,7 @@
   * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
   * nfsd4: bug in read_buf (CVE-2010-2521)
   * GFS2: rename causes kernel Oops (CVE-2010-2798)
+  * [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch	Thu Aug  5 18:01:44 2010	(r16088)
@@ -0,0 +1,40 @@
+commit e2587c7080d90415a60d852b948e4967232f9294
+Author: Helge Deller <deller at gmx.de>
+Date:   Mon Aug 2 22:46:41 2010 +0200
+
+    PARISC: led.c - fix potential stack overflow in led_proc_write()
+    
+    avoid potential stack overflow by correctly checking count parameter
+    
+    Reported-by: Ilja <ilja at netric.org>
+    Signed-off-by: Helge Deller <deller at gmx.de>
+    Acked-by: Kyle McMartin <kyle at mcmartin.ca>
+    Cc: James E.J. Bottomley <jejb at parisc-linux.org>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
+index f9b1266..299b4e6 100644
+--- a/drivers/parisc/led.c
++++ b/drivers/parisc/led.c
+@@ -182,16 +182,18 @@ static int led_proc_read(char *page, char **start, off_t off, int count,
+ static int led_proc_write(struct file *file, const char *buf, 
+ 	unsigned long count, void *data)
+ {
+-	char *cur, lbuf[count + 1];
++	char *cur, lbuf[32];
+ 	int d;
+ 
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EACCES;
+ 
+-	memset(lbuf, 0, count + 1);
++	if (count >= sizeof(lbuf))
++		count = sizeof(lbuf)-1;
+ 
+ 	if (copy_from_user(lbuf, buf, count))
+ 		return -EFAULT;
++	lbuf[count] = 0;
+ 
+ 	cur = lbuf;
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug  5 17:30:35 2010	(r16087)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug  5 18:01:44 2010	(r16088)
@@ -4,3 +4,4 @@
 + bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
 + bugfix/all/nfsd4-bug-in-read_buf.patch
 + bugfix/all/gfs2-rename-causes-kernel-oops.patch
++ bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch

More information about the Kernel-svn-changes mailing list