[kernel] r16541 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Nov 10 05:50:46 UTC 2010 

Author: dannf
Date: Wed Nov 10 05:50:07 2010
New Revision: 16541

Log:
ALSA: rme9652: prevent reading uninitialized stack memory (CVE-2010-4080)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Nov 10 05:07:30 2010	(r16540)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Nov 10 05:50:07 2010	(r16541)
@@ -13,6 +13,7 @@
   * setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
   * X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)
   * sys_semctl: fix kernel stack leakage (CVE-2010-4083)
+  * ALSA: rme9652: prevent reading uninitialized stack memory (CVE-2010-4080)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch	Wed Nov 10 05:50:07 2010	(r16541)
@@ -0,0 +1,43 @@
+commit 1179687599395e64f39fe85c45a90c0ef9993948
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Sat Sep 25 11:07:27 2010 -0400
+
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
+    
+    The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
+    SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
+    unprivileged users to read uninitialized kernel stack memory, because
+    several fields of the hdsp{m}_config_info structs declared on the stack
+    are not altered or zeroed before being copied back to the user.  This
+    patch takes care of it.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index 4d6fbb3..cee643e 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -4569,6 +4569,7 @@ static int snd_hdsp_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigne
+ 			snd_printk(KERN_ERR "Hammerfall-DSP: Firmware needs to be uploaded to the card.\n");	
+ 			return -EINVAL;
+ 		}
++		memset(&info, 0, sizeof(info));
+ 		spin_lock_irqsave(&hdsp->lock, flags);
+ 		info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
+ 		info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index ab423bc..bd36bdd 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -4133,6 +4133,7 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep * hw, struct file *file,
+ 
+ 	case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
+ 
++		memset(&info, 0, sizeof(info));
+ 		spin_lock_irq(&hdspm->lock);
+ 		info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
+ 		info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Wed Nov 10 05:07:30 2010	(r16540)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Wed Nov 10 05:50:07 2010	(r16541)
@@ -12,3 +12,4 @@
 + bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
 + bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
 + bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
++ bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch

More information about the Kernel-svn-changes mailing list