[kernel] r15071 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Feb  1 02:44:46 2010
New Revision: 15071

Log:
[SCSI] gdth: Prevent negative offsets in ioctl (CVE-2009-3080)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
      - copied unchanged from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 02:42:03 2010	(r15070)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 02:44:46 2010	(r15071)
@@ -4,6 +4,7 @@
     (CVE-2009-2691)
   * selinux: prevent local users from bypassing mmap_min_addr
     in unconfined domains (CVE-2009-2695)
+  * [SCSI] gdth: Prevent negative offsets in ioctl (CVE-2009-3080)
 
  -- dann frazier <dannf at debian.org>  Sun, 31 Jan 2010 17:17:52 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch (from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch	Mon Feb  1 02:44:46 2010	(r15071, copy of r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch)
@@ -0,0 +1,26 @@
+commit 690e744869f3262855b83b4fb59199cf142765b0
+Author: Dave Jones <davej at redhat.com>
+Date:   Mon Oct 19 19:55:13 2009 -0400
+
+    [SCSI] gdth: Prevent negative offsets in ioctl CVE-2009-3080
+    
+    A negative offset could be used to index before the event buffer and
+    lead to a security breach.
+    
+    Signed-off-by: Dave Jones <davej at redhat.com>
+    Cc: Stable Tree <stable at kernel.org>
+    Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+
+diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
+index 185e6bc..9e8fce0 100644
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -2900,7 +2900,7 @@ static int gdth_read_event(gdth_ha_str *ha, int handle, gdth_evt_str *estr)
+         eindex = handle;
+     estr->event_source = 0;
+ 
+-    if (eindex >= MAX_EVENTS) {
++    if (eindex < 0 || eindex >= MAX_EVENTS) {
+         spin_unlock_irqrestore(&ha->smp_lock, flags);
+         return eindex;
+     }

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 02:42:03 2010	(r15070)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 02:44:46 2010	(r15071)
@@ -5,3 +5,4 @@
 + bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch
 + bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch
 + bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch
++ bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch