[kernel] r16615 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Dec 2 13:34:19 UTC 2010 

Author: dannf
Date: Thu Dec  2 13:34:14 2010
New Revision: 16615

Log:
block: check for proper length of iov entries in blk_rq_map_user_iov() (CVE-2010-4163)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:33:48 2010	(r16614)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:34:14 2010	(r16615)
@@ -3,6 +3,8 @@
   * filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
   * bio: take care not overflow page count when mapping/copying user data
     (CVE-2010-4162)
+  * block: check for proper length of iov entries in blk_rq_map_user_iov()
+    (CVE-2010-4163)
 
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch	Thu Dec  2 13:34:14 2010	(r16615)
@@ -0,0 +1,26 @@
+commit fcd208f71b3319044829ef1b384bf2c7a28b449b
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date:   Fri Oct 29 08:10:18 2010 -0600
+
+    block: check for proper length of iov entries in blk_rq_map_user_iov()
+    
+    Ensure that we pass down properly validated iov segments before
+    calling into the mapping or copy functions.
+    
+    Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 0b1af5a..71e102e 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -191,6 +191,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 			unaligned = 1;
+ 			break;
+ 		}
++		if (!iov[i].iov_len)
++			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len))

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:33:48 2010	(r16614)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:34:14 2010	(r16615)
@@ -1,2 +1,3 @@
 + bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
 + bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch

More information about the Kernel-svn-changes mailing list