[kernel] r16616 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Thu Dec  2 13:34:26 2010
New Revision: 16616

Log:
bluetooth: Fix missing NULL check (CVE-2010-4242)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:34:14 2010	(r16615)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:34:26 2010	(r16616)
@@ -5,6 +5,7 @@
     (CVE-2010-4162)
   * block: check for proper length of iov entries in blk_rq_map_user_iov()
     (CVE-2010-4163)
+  * bluetooth: Fix missing NULL check (CVE-2010-4242)
 
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch	Thu Dec  2 13:34:26 2010	(r16616)
@@ -0,0 +1,35 @@
+commit 85a3a63a7ec6b1025897f3df5d59b295fab7681e
+Author: Alan Cox <alan at linux.intel.com>
+Date:   Fri Oct 22 14:11:26 2010 +0100
+
+    bluetooth: Fix missing NULL check
+    
+    Fortunately this is only exploitable on very unusual hardware.
+    
+    [Reported a while ago but nothing happened so just fixing it]
+    
+    Signed-off-by: Alan Cox <alan at linux.intel.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index e5cd856..8325dbc 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -263,9 +263,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
+ 
+ 	BT_DBG("tty %p", tty);
+ 
++	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
++	   the pointer */
+ 	if (hu)
+ 		return -EEXIST;
+ 
++	/* Error if the tty has no write op instead of leaving an exploitable
++	   hole */
++	if (tty->ops->write == NULL)
++		return -EOPNOTSUPP;
++
+ 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
+ 		BT_ERR("Can't allocate control structure");
+ 		return -ENFILE;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:34:14 2010	(r16615)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:34:26 2010	(r16616)
@@ -1,3 +1,4 @@
 + bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
 + bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
 + bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
++ bugfix/all/bluetooth-fix-missing-NULL-check.patch