[kernel] r16740 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Sun Dec 26 12:53:34 UTC 2010
Author: benh
Date: Sun Dec 26 12:53:30 2010
New Revision: 16740
Log:
irda: Fix information leak in IRLMP_ENUMDEVICES
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/30
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Sat Dec 25 19:49:14 2010 (r16739)
+++ dists/sid/linux-2.6/debian/changelog Sun Dec 26 12:53:30 2010 (r16740)
@@ -15,6 +15,7 @@
* iwlwifi: Reduce a failure-prone memory allocation (Closes: #599345)
* linux-base: Look for GRUB 1 configuration in both /boot/grub and
/boot/boot/grub (Closes: #607863)
+ * irda: Fix information leak in IRLMP_ENUMDEVICES
[ maximilian attems ]
* [openvz] Reenable NF_CONNTRACK_IPV6. (closes: #580507)
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch Sun Dec 26 12:53:30 2010 (r16740)
@@ -0,0 +1,60 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value. While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures. In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Adjust context for 2.6.32]
+---
+ net/irda/af_irda.c | 18 +++++++++++-------
+ 1 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b6cef980..ed5173b 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2164,6 +2164,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+
+ switch (optname) {
+ case IRLMP_ENUMDEVICES:
++
++ /* Offset to first device entry */
++ offset = sizeof(struct irda_device_list) -
++ sizeof(struct irda_device_info);
++
++ if (len < offset) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /* Ask lmp for the current discovery log */
+ discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ self->nslots);
+@@ -2173,15 +2183,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ err = 0;
+
+ /* Write total list length back to client */
+- if (copy_to_user(optval, &list,
+- sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info)))
++ if (copy_to_user(optval, &list, offset))
+ err = -EFAULT;
+
+- /* Offset to first device entry */
+- offset = sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info);
+-
+ /* Copy the list itself - watch for overflow */
+ if(list.len > 2048)
+ {
+--
+1.7.2.3
+
Modified: dists/sid/linux-2.6/debian/patches/series/30
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/30 Sat Dec 25 19:49:14 2010 (r16739)
+++ dists/sid/linux-2.6/debian/patches/series/30 Sun Dec 26 12:53:30 2010 (r16740)
@@ -18,3 +18,4 @@
+ bugfix/all/wireless-b43-fix-error-path-in-sdio.patch
+ bugfix/all/iwlwifi-reduce-memory-allocation.patch
+ bugfix/all/drm-radeon-kms-don-t-apply-7xx-hdp-flush-workaround-on-agp.patch
++ bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
More information about the Kernel-svn-changes
mailing list