[kernel] r16088 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/parisc patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Aug 5 18:02:12 UTC 2010
Author: dannf
Date: Thu Aug 5 18:01:44 2010
New Revision: 16088
Log:
[parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Aug 5 17:30:35 2010 (r16087)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Aug 5 18:01:44 2010 (r16088)
@@ -6,6 +6,7 @@
* xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
* nfsd4: bug in read_buf (CVE-2010-2521)
* GFS2: rename causes kernel Oops (CVE-2010-2798)
+ * [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch Thu Aug 5 18:01:44 2010 (r16088)
@@ -0,0 +1,40 @@
+commit e2587c7080d90415a60d852b948e4967232f9294
+Author: Helge Deller <deller at gmx.de>
+Date: Mon Aug 2 22:46:41 2010 +0200
+
+ PARISC: led.c - fix potential stack overflow in led_proc_write()
+
+ avoid potential stack overflow by correctly checking count parameter
+
+ Reported-by: Ilja <ilja at netric.org>
+ Signed-off-by: Helge Deller <deller at gmx.de>
+ Acked-by: Kyle McMartin <kyle at mcmartin.ca>
+ Cc: James E.J. Bottomley <jejb at parisc-linux.org>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
+index f9b1266..299b4e6 100644
+--- a/drivers/parisc/led.c
++++ b/drivers/parisc/led.c
+@@ -182,16 +182,18 @@ static int led_proc_read(char *page, char **start, off_t off, int count,
+ static int led_proc_write(struct file *file, const char *buf,
+ unsigned long count, void *data)
+ {
+- char *cur, lbuf[count + 1];
++ char *cur, lbuf[32];
+ int d;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+- memset(lbuf, 0, count + 1);
++ if (count >= sizeof(lbuf))
++ count = sizeof(lbuf)-1;
+
+ if (copy_from_user(lbuf, buf, count))
+ return -EFAULT;
++ lbuf[count] = 0;
+
+ cur = lbuf;
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 5 17:30:35 2010 (r16087)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 5 18:01:44 2010 (r16088)
@@ -4,3 +4,4 @@
+ bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
+ bugfix/all/nfsd4-bug-in-read_buf.patch
+ bugfix/all/gfs2-rename-causes-kernel-oops.patch
++ bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
More information about the Kernel-svn-changes
mailing list