[kernel] r16569 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Fri Nov 19 06:54:05 UTC 2010

Author: dannf
Date: Fri Nov 19 06:53:53 2010
New Revision: 16569

Log:
v4l1: fix 32-bit compat microcode loading translation (CVE-2010-2963)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Fri Nov 19 06:08:43 2010	(r16568)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Nov 19 06:53:53 2010	(r16569)
@@ -18,6 +18,7 @@
   * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)
   * video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
   * X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
+  * v4l1: fix 32-bit compat microcode loading translation (CVE-2010-2963)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch	Fri Nov 19 06:53:53 2010	(r16569)
@@ -0,0 +1,85 @@
+commit 87ab58c497c22602a90ae1fb93b24f96bbfddfaf
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Fri Oct 15 11:12:38 2010 -0700
+
+    v4l1: fix 32-bit compat microcode loading translation
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
+    It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
+    staging and eventually removed unless somebody steps up to maintain it
+    (at which point it should use request_firmware() rather than some magic
+    ioctl).  So we'll get rid of it eventually.
+    
+    But in the meantime, the compatibility ioctl code is broken, and this
+    tries to get it to at least limp along (even if Mauro suggested just
+    deleting it entirely, which may be the right thing to do - I don't think
+    the compatibility translation code has ever worked unless you were very
+    lucky).
+    
+    Reported-by: Kees Cook <kees.cook at canonical.com>
+    Cc: Mauro Carvalho Chehab <mchehab at infradead.org>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c
+index e4a0a73..612b339 100644
+--- a/drivers/media/video/compat_ioctl32.c
++++ b/drivers/media/video/compat_ioctl32.c
+@@ -499,17 +499,24 @@ struct video_code32
+ {
+ 	char		loadwhat[16];	/* name or tag of file being passed */
+ 	compat_int_t	datasize;
+-	unsigned char	*data;
++	compat_uptr_t	data;
+ };
+ 
+-static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *microcode32(struct video_code32 *kp)
+ {
+-	if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+-		copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
+-		get_user(kp->datasize, &up->datasize) ||
+-		copy_from_user(kp->data, up->data, up->datasize))
+-			return -EFAULT;
+-	return 0;
++	struct video_code __user *up;
++
++	up = compat_alloc_user_space(sizeof(*up));
++
++	/*
++	 * NOTE! We don't actually care if these fail. If the
++	 * user address is invalid, the native ioctl will do
++	 * the error handling for us
++	 */
++	(void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++	(void) put_user(kp->datasize, &up->datasize);
++	(void) put_user(compat_ptr(kp->data), &up->data);
++	return up;
+ }
+ 
+ #define VIDIOCGTUNER32		_IOWR('v',4, struct video_tuner32)
+@@ -618,7 +625,7 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
+ 		struct video_tuner vt;
+ 		struct video_buffer vb;
+ 		struct video_window vw;
+-		struct video_code vc;
++		struct video_code32 vc;
+ 		struct video_audio va;
+ #endif
+ 		struct v4l2_format v2f;
+@@ -745,8 +752,11 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
+ 		break;
+ #ifdef CONFIG_VIDEO_V4L1_COMPAT
+ 	case VIDIOCSMICROCODE:
+-		err = microcode32(&karg.vc, up);
+-		compatible_arg = 0;
++		/* Copy the 32-bit "video_code32" to kernel space */
++		if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++			return -EFAULT;
++		/* Convert the 32-bit version to a 64-bit version in user space */
++		up = microcode32(&karg.vc);
+ 		break;
+ #endif
+ 	};

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Fri Nov 19 06:08:43 2010	(r16568)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Fri Nov 19 06:53:53 2010	(r16569)
@@ -16,3 +16,4 @@
 + bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
++ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch

