[kernel] r16123 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Aug 12 01:09:46 UTC 2010
Author: dannf
Date: Thu Aug 12 01:09:44 2010
New Revision: 16123
Log:
can: add limit for nframes and clean up signed/unsigned variables (CVE-REQUESTED)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Aug 12 01:09:28 2010 (r16122)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Aug 12 01:09:44 2010 (r16123)
@@ -9,6 +9,8 @@
* [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
* exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
regression due to fix for CVE-2010-0307)
+ * can: add limit for nframes and clean up signed/unsigned variables
+ (CVE-REQUESTED)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch Thu Aug 12 01:09:44 2010 (r16123)
@@ -0,0 +1,143 @@
+commit 9f377342fc255dab55d6589e65ed17a90a9d37ea
+Author: dann frazier <dannf at hp.com>
+Date: Wed Aug 11 18:17:16 2010 -0600
+
+ can: add limit for nframes and clean up signed/unsigned variables
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This patch adds a limit for nframes as the number of frames in TX_SETUP and
+ RX_SETUP are derived from a single byte multiplex value by default.
+ Use-cases that would require to send/filter more than 256 CAN frames should
+ be implemented in userspace for complexity reasons anyway.
+
+ Additionally the assignments of unsigned values from userspace to signed
+ values in kernelspace and vice versa are fixed by using unsigned values in
+ kernelspace consistently.
+
+ Signed-off-by: Oliver Hartkopp <socketcan at xxxxxxxxxxxx>
+ Reported-by: Ben Hawkes <hawkes at xxxxxxxxxx>
+ Acked-by: Urs Thuermann <urs.thuermann at xxxxxxxxxxxxx>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 72c2ce9..4d21e40 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -58,6 +58,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV 0x40 /* received data for this element */
+ #define RX_THR 0x80 /* element not been sent due to throttle feature */
+@@ -85,15 +92,15 @@ struct bcm_op {
+ struct list_head list;
+ int ifindex;
+ canid_t can_id;
+- int flags;
++ u32 flags;
+ unsigned long frames_abs, frames_filtered;
+ struct timeval ival1, ival2;
+ struct hrtimer timer, thrtimer;
+ ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+ int rx_ifindex;
+- int count;
+- int nframes;
+- int currframe;
++ u32 count;
++ u32 nframes;
++ u32 currframe;
+ struct can_frame *frames;
+ struct can_frame *last_frames;
+ struct can_frame sframe;
+@@ -172,7 +179,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ len += snprintf(page + len, PAGE_SIZE - len,
+ "rx_op: %03X %-5s ",
+ op->can_id, bcm_proc_getifname(op->ifindex));
+- len += snprintf(page + len, PAGE_SIZE - len, "[%d]%c ",
++ len += snprintf(page + len, PAGE_SIZE - len, "[%u]%c ",
+ op->nframes,
+ (op->flags & RX_CHECK_DLC)?'d':' ');
+ if (op->kt_ival1.tv64)
+@@ -206,7 +213,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ list_for_each_entry(op, &bo->tx_ops, list) {
+
+ len += snprintf(page + len, PAGE_SIZE - len,
+- "tx_op: %03X %s [%d] ",
++ "tx_op: %03X %s [%u] ",
+ op->can_id, bcm_proc_getifname(op->ifindex),
+ op->nframes);
+
+@@ -287,7 +294,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head,
+ struct can_frame *firstframe;
+ struct sockaddr_can *addr;
+ struct sock *sk = op->sk;
+- int datalen = head->nframes * CFSIZ;
++ unsigned int datalen = head->nframes * CFSIZ;
+ int err;
+
+ skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -465,7 +472,7 @@ static void bcm_rx_update_and_send(struct bcm_op *op,
+ * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+ * received data stored in op->last_frames[]
+ */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+ struct can_frame *rxdata)
+ {
+ /*
+@@ -547,7 +554,7 @@ static int bcm_rx_thr_flush(struct bcm_op *op)
+ int updated = 0;
+
+ if (op->nframes > 1) {
+- int i;
++ unsigned int i;
+
+ /* for MUX filter we start at index 1 */
+ for (i = 1; i < op->nframes; i++) {
+@@ -596,7 +603,7 @@ static void bcm_rx_handler(struct sk_buff *skb, void *data)
+ {
+ struct bcm_op *op = (struct bcm_op *)data;
+ struct can_frame rxframe;
+- int i;
++ unsigned int i;
+
+ /* disable timeout */
+ hrtimer_cancel(&op->timer);
+@@ -798,14 +805,15 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ {
+ struct bcm_sock *bo = bcm_sk(sk);
+ struct bcm_op *op;
+- int i, err;
++ unsigned int i;
++ int err;
+
+ /* we need a real device to send frames */
+ if (!ifindex)
+ return -ENODEV;
+
+- /* we need at least one can_frame */
+- if (msg_head->nframes < 1)
++ /* check nframes boundaries - we need at least one can_frame */
++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ return -EINVAL;
+
+ /* check the given can_id */
+@@ -965,6 +973,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ msg_head->nframes = 0;
+ }
+
++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */
++ if (msg_head->nframes > MAX_NFRAMES + 1)
++ return -EINVAL;
++
+ if ((msg_head->flags & RX_RTR_FRAME) &&
+ ((msg_head->nframes != 1) ||
+ (!(msg_head->can_id & CAN_RTR_FLAG))))
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 12 01:09:28 2010 (r16122)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 12 01:09:44 2010 (r16123)
@@ -6,3 +6,4 @@
+ bugfix/all/gfs2-rename-causes-kernel-oops.patch
+ bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
+ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
++ bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
More information about the Kernel-svn-changes
mailing list