[kernel] r16544 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Nov 11 02:01:09 UTC 2010 

Author: dannf
Date: Thu Nov 11 02:00:35 2010
New Revision: 16544

Log:
V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Nov 10 17:09:14 2010	(r16543)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Nov 11 02:00:35 2010	(r16544)
@@ -15,6 +15,7 @@
   * sys_semctl: fix kernel stack leakage (CVE-2010-4083)
   * ALSA: rme9652: prevent reading uninitialized stack memory
     (CVE-2010-4080, CVE-2010-4081)
+  * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch	Thu Nov 11 02:00:35 2010	(r16544)
@@ -0,0 +1,28 @@
+commit 66635f73f2223eceebc61c88135b5817b97b4235
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Wed Sep 15 18:44:22 2010 -0300
+
+    V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
+    
+    The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
+    bytes of uninitialized stack memory, because the "reserved" member of
+    the fb_vblank struct declared on the stack is not altered or zeroed
+    before being copied back to the user.  This patch takes care of it.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Signed-off-by: Andy Walls <awalls at md.metrocast.net>
+    Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
+index 73be154..96ed111 100644
+--- a/drivers/media/video/ivtv/ivtvfb.c
++++ b/drivers/media/video/ivtv/ivtvfb.c
+@@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
+ 			struct fb_vblank vblank;
+ 			u32 trace;
+ 
++			memset(&vblank, 0, sizeof(struct fb_vblank));
++
+ 			vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
+ 					FB_VBLANK_HAVE_VSYNC;
+ 			trace = read_reg(0x028c0) >> 16;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Wed Nov 10 17:09:14 2010	(r16543)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Thu Nov 11 02:00:35 2010	(r16544)
@@ -13,3 +13,4 @@
 + bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
 + bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
 + bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch

More information about the Kernel-svn-changes mailing list