[kernel] r16615 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 2 13:34:19 UTC 2010
Author: dannf
Date: Thu Dec 2 13:34:14 2010
New Revision: 16615
Log:
block: check for proper length of iov entries in blk_rq_map_user_iov() (CVE-2010-4163)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:33:48 2010 (r16614)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:34:14 2010 (r16615)
@@ -3,6 +3,8 @@
* filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
* bio: take care not overflow page count when mapping/copying user data
(CVE-2010-4162)
+ * block: check for proper length of iov entries in blk_rq_map_user_iov()
+ (CVE-2010-4163)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch Thu Dec 2 13:34:14 2010 (r16615)
@@ -0,0 +1,26 @@
+commit fcd208f71b3319044829ef1b384bf2c7a28b449b
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date: Fri Oct 29 08:10:18 2010 -0600
+
+ block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+ Ensure that we pass down properly validated iov segments before
+ calling into the mapping or copy functions.
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 0b1af5a..71e102e 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -191,6 +191,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ unaligned = 1;
+ break;
+ }
++ if (!iov[i].iov_len)
++ return -EINVAL;
+ }
+
+ if (unaligned || (q->dma_pad_mask & len))
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:33:48 2010 (r16614)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:34:14 2010 (r16615)
@@ -1,2 +1,3 @@
+ bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
+ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
More information about the Kernel-svn-changes
mailing list