[kernel] r16618 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Dec 2 13:34:52 UTC 2010 

Author: dannf
Date: Thu Dec  2 13:34:47 2010
New Revision: 16618

Log:
net: clear heap allocation for ETHTOOL_GRXCLSRLALL (CVE-2010-3861)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocation-for-ETHTOOL_GRXCLSRLALL.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/29

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Dec  2 13:34:37 2010	(r16617)
+++ dists/sid/linux-2.6/debian/changelog	Thu Dec  2 13:34:47 2010	(r16618)
@@ -12,6 +12,9 @@
     don't enable remote wakeup by default (Closes: #605246)
   * dm: Deal with merge_bvec_fn in component devices better (Closes: #604457)
 
+  [ dann frazier ]
+  * net: clear heap allocation for ETHTOOL_GRXCLSRLALL (CVE-2010-3861)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 27 Nov 2010 21:06:54 +0000
 
 linux-2.6 (2.6.32-28) unstable; urgency=high

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocation-for-ETHTOOL_GRXCLSRLALL.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocation-for-ETHTOOL_GRXCLSRLALL.patch	Thu Dec  2 13:34:47 2010	(r16618)
@@ -0,0 +1,29 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit ae6df5f96a51818d6376da5307d773baeece4014
+Author: Kees Cook <kees.cook at canonical.com>
+Date:   Thu Oct 7 10:03:48 2010 +0000
+
+    net: clear heap allocation for ETHTOOL_GRXCLSRLALL
+    
+    Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
+    heap without clearing it. For the one driver (niu) that implements it,
+    it will leave the unused portion of heap unchanged and copy the full
+    contents back to userspace.
+    
+    Signed-off-by: Kees Cook <kees.cook at canonical.com>
+    Acked-by: Ben Hutchings <bhutchings at solarflare.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff -urpN linux-source-2.6.32.orig/net/core/ethtool.c linux-source-2.6.32/net/core/ethtool.c
+--- linux-source-2.6.32.orig/net/core/ethtool.c	2010-11-24 18:46:41.000000000 -0700
++++ linux-source-2.6.32/net/core/ethtool.c	2010-12-01 20:56:34.199553192 -0700
+@@ -265,7 +265,7 @@ static int ethtool_get_rxnfc(struct net_
+ 	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
+ 		if (info.rule_cnt > 0) {
+ 			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
+-				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
++				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
+ 						   GFP_USER);
+ 			if (!rule_buf)
+ 				return -ENOMEM;

Modified: dists/sid/linux-2.6/debian/patches/series/29
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/29	Thu Dec  2 13:34:37 2010	(r16617)
+++ dists/sid/linux-2.6/debian/patches/series/29	Thu Dec  2 13:34:47 2010	(r16618)
@@ -9,3 +9,4 @@
 + bugfix/all/USB-retain-power-wakeup-setting-across-reconfig.patch
 + bugfix/all/USB-don-t-enable-remote-wakeup-by-default.patch
 + bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch
++ bugfix/all/net-clear-heap-allocation-for-ETHTOOL_GRXCLSRLALL.patch

More information about the Kernel-svn-changes mailing list