[kernel] r16616 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 2 13:34:31 UTC 2010
Author: dannf
Date: Thu Dec 2 13:34:26 2010
New Revision: 16616
Log:
bluetooth: Fix missing NULL check (CVE-2010-4242)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:34:14 2010 (r16615)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:34:26 2010 (r16616)
@@ -5,6 +5,7 @@
(CVE-2010-4162)
* block: check for proper length of iov entries in blk_rq_map_user_iov()
(CVE-2010-4163)
+ * bluetooth: Fix missing NULL check (CVE-2010-4242)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch Thu Dec 2 13:34:26 2010 (r16616)
@@ -0,0 +1,35 @@
+commit 85a3a63a7ec6b1025897f3df5d59b295fab7681e
+Author: Alan Cox <alan at linux.intel.com>
+Date: Fri Oct 22 14:11:26 2010 +0100
+
+ bluetooth: Fix missing NULL check
+
+ Fortunately this is only exploitable on very unusual hardware.
+
+ [Reported a while ago but nothing happened so just fixing it]
+
+ Signed-off-by: Alan Cox <alan at linux.intel.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index e5cd856..8325dbc 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -263,9 +263,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
+
+ BT_DBG("tty %p", tty);
+
++ /* FIXME: This btw is bogus, nothing requires the old ldisc to clear
++ the pointer */
+ if (hu)
+ return -EEXIST;
+
++ /* Error if the tty has no write op instead of leaving an exploitable
++ hole */
++ if (tty->ops->write == NULL)
++ return -EOPNOTSUPP;
++
+ if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
+ BT_ERR("Can't allocate control structure");
+ return -ENFILE;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:34:14 2010 (r16615)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:34:26 2010 (r16616)
@@ -1,3 +1,4 @@
+ bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
+ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
+ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
++ bugfix/all/bluetooth-fix-missing-NULL-check.patch
More information about the Kernel-svn-changes
mailing list