[kernel] r16740 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Ben Hutchings]

Author: benh
Date: Sun Dec 26 12:53:30 2010
New Revision: 16740

Log:
irda: Fix information leak in IRLMP_ENUMDEVICES

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/30

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Sat Dec 25 19:49:14 2010	(r16739)
+++ dists/sid/linux-2.6/debian/changelog	Sun Dec 26 12:53:30 2010	(r16740)
@@ -15,6 +15,7 @@
   * iwlwifi: Reduce a failure-prone memory allocation (Closes: #599345)
   * linux-base: Look for GRUB 1 configuration in both /boot/grub and
     /boot/boot/grub (Closes: #607863)
+  * irda: Fix information leak in IRLMP_ENUMDEVICES
 
   [ maximilian attems ]
   * [openvz] Reenable NF_CONNTRACK_IPV6. (closes: #580507)

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch	Sun Dec 26 12:53:30 2010	(r16740)
@@ -0,0 +1,60 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value.  While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures.  In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Adjust context for 2.6.32]
+---
+ net/irda/af_irda.c |   18 +++++++++++-------
+ 1 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b6cef980..ed5173b 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2164,6 +2164,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ 
+ 	switch (optname) {
+ 	case IRLMP_ENUMDEVICES:
++
++		/* Offset to first device entry */
++		offset = sizeof(struct irda_device_list) -
++			sizeof(struct irda_device_info);
++
++		if (len < offset) {
++			err = -EINVAL;
++			goto out;
++		}
++
+ 		/* Ask lmp for the current discovery log */
+ 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ 						    self->nslots);
+@@ -2173,15 +2183,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ 		err = 0;
+ 
+ 		/* Write total list length back to client */
+-		if (copy_to_user(optval, &list,
+-				 sizeof(struct irda_device_list) -
+-				 sizeof(struct irda_device_info)))
++		if (copy_to_user(optval, &list, offset))
+ 			err = -EFAULT;
+ 
+-		/* Offset to first device entry */
+-		offset = sizeof(struct irda_device_list) -
+-			sizeof(struct irda_device_info);
+-
+ 		/* Copy the list itself - watch for overflow */
+ 		if(list.len > 2048)
+ 		{
+-- 
+1.7.2.3
+

Modified: dists/sid/linux-2.6/debian/patches/series/30
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/30	Sat Dec 25 19:49:14 2010	(r16739)
+++ dists/sid/linux-2.6/debian/patches/series/30	Sun Dec 26 12:53:30 2010	(r16740)
@@ -18,3 +18,4 @@
 + bugfix/all/wireless-b43-fix-error-path-in-sdio.patch
 + bugfix/all/iwlwifi-reduce-memory-allocation.patch
 + bugfix/all/drm-radeon-kms-don-t-apply-7xx-hdp-flush-workaround-on-agp.patch
++ bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch