[kernel] r16123 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 12 01:09:46 UTC 2010 

Author: dannf
Date: Thu Aug 12 01:09:44 2010
New Revision: 16123

Log:
can: add limit for nframes and clean up signed/unsigned variables (CVE-REQUESTED)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Aug 12 01:09:28 2010	(r16122)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Aug 12 01:09:44 2010	(r16123)
@@ -9,6 +9,8 @@
   * [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
   * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
     regression due to fix for CVE-2010-0307)
+  * can: add limit for nframes and clean up signed/unsigned variables
+    (CVE-REQUESTED)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch	Thu Aug 12 01:09:44 2010	(r16123)
@@ -0,0 +1,143 @@
+commit 9f377342fc255dab55d6589e65ed17a90a9d37ea
+Author: dann frazier <dannf at hp.com>
+Date:   Wed Aug 11 18:17:16 2010 -0600
+
+    can: add limit for nframes and clean up signed/unsigned variables
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    This patch adds a limit for nframes as the number of frames in TX_SETUP and
+    RX_SETUP are derived from a single byte multiplex value by default.
+    Use-cases that would require to send/filter more than 256 CAN frames should
+    be implemented in userspace for complexity reasons anyway.
+    
+    Additionally the assignments of unsigned values from userspace to signed
+    values in kernelspace and vice versa are fixed by using unsigned values in
+    kernelspace consistently.
+    
+    Signed-off-by: Oliver Hartkopp <socketcan at xxxxxxxxxxxx>
+    Reported-by: Ben Hawkes <hawkes at xxxxxxxxxx>
+    Acked-by: Urs Thuermann <urs.thuermann at xxxxxxxxxxxxx>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 72c2ce9..4d21e40 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -58,6 +58,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+ 
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV    0x40 /* received data for this element */
+ #define RX_THR     0x80 /* element not been sent due to throttle feature */
+@@ -85,15 +92,15 @@ struct bcm_op {
+ 	struct list_head list;
+ 	int ifindex;
+ 	canid_t can_id;
+-	int flags;
++	u32 flags;
+ 	unsigned long frames_abs, frames_filtered;
+ 	struct timeval ival1, ival2;
+ 	struct hrtimer timer, thrtimer;
+ 	ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+ 	int rx_ifindex;
+-	int count;
+-	int nframes;
+-	int currframe;
++	u32 count;
++	u32 nframes;
++	u32 currframe;
+ 	struct can_frame *frames;
+ 	struct can_frame *last_frames;
+ 	struct can_frame sframe;
+@@ -172,7 +179,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ 		len += snprintf(page + len, PAGE_SIZE - len,
+ 				"rx_op: %03X %-5s ",
+ 				op->can_id, bcm_proc_getifname(op->ifindex));
+-		len += snprintf(page + len, PAGE_SIZE - len, "[%d]%c ",
++		len += snprintf(page + len, PAGE_SIZE - len, "[%u]%c ",
+ 				op->nframes,
+ 				(op->flags & RX_CHECK_DLC)?'d':' ');
+ 		if (op->kt_ival1.tv64)
+@@ -206,7 +213,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ 	list_for_each_entry(op, &bo->tx_ops, list) {
+ 
+ 		len += snprintf(page + len, PAGE_SIZE - len,
+-				"tx_op: %03X %s [%d] ",
++				"tx_op: %03X %s [%u] ",
+ 				op->can_id, bcm_proc_getifname(op->ifindex),
+ 				op->nframes);
+ 
+@@ -287,7 +294,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head,
+ 	struct can_frame *firstframe;
+ 	struct sockaddr_can *addr;
+ 	struct sock *sk = op->sk;
+-	int datalen = head->nframes * CFSIZ;
++	unsigned int datalen = head->nframes * CFSIZ;
+ 	int err;
+ 
+ 	skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -465,7 +472,7 @@ static void bcm_rx_update_and_send(struct bcm_op *op,
+  * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+  *                       received data stored in op->last_frames[]
+  */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+ 				struct can_frame *rxdata)
+ {
+ 	/*
+@@ -547,7 +554,7 @@ static int bcm_rx_thr_flush(struct bcm_op *op)
+ 	int updated = 0;
+ 
+ 	if (op->nframes > 1) {
+-		int i;
++		unsigned int i;
+ 
+ 		/* for MUX filter we start at index 1 */
+ 		for (i = 1; i < op->nframes; i++) {
+@@ -596,7 +603,7 @@ static void bcm_rx_handler(struct sk_buff *skb, void *data)
+ {
+ 	struct bcm_op *op = (struct bcm_op *)data;
+ 	struct can_frame rxframe;
+-	int i;
++	unsigned int i;
+ 
+ 	/* disable timeout */
+ 	hrtimer_cancel(&op->timer);
+@@ -798,14 +805,15 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ {
+ 	struct bcm_sock *bo = bcm_sk(sk);
+ 	struct bcm_op *op;
+-	int i, err;
++	unsigned int i;
++	int err;
+ 
+ 	/* we need a real device to send frames */
+ 	if (!ifindex)
+ 		return -ENODEV;
+ 
+-	/* we need at least one can_frame */
+-	if (msg_head->nframes < 1)
++	/* check nframes boundaries - we need at least one can_frame */
++	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ 		return -EINVAL;
+ 
+ 	/* check the given can_id */
+@@ -965,6 +973,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ 		msg_head->nframes = 0;
+ 	}
+ 
++	/* the first element contains the mux-mask => MAX_NFRAMES + 1  */
++	if (msg_head->nframes > MAX_NFRAMES + 1)
++		return -EINVAL;
++
+ 	if ((msg_head->flags & RX_RTR_FRAME) &&
+ 	    ((msg_head->nframes != 1) ||
+ 	     (!(msg_head->can_id & CAN_RTR_FLAG))))

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug 12 01:09:28 2010	(r16122)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug 12 01:09:44 2010	(r16123)
@@ -6,3 +6,4 @@
 + bugfix/all/gfs2-rename-causes-kernel-oops.patch
 + bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
 + bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
++ bugfix/can-add-limit-for-nframes-and-clean-up-signed-variables.patch

More information about the Kernel-svn-changes mailing list