[kernel] r16575 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Sat Nov 20 18:30:51 UTC 2010

Author: benh
Date: Sat Nov 20 18:30:46 2010
New Revision: 16575

Log:
gdth: Fix integer overflow in ioctl (CVE-2010-4157)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/28

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Sat Nov 20 18:25:15 2010	(r16574)
+++ dists/sid/linux-2.6/debian/changelog	Sat Nov 20 18:30:46 2010	(r16575)
@@ -52,6 +52,7 @@
     wanted.
   * atl1c: Add support for Atheros AR8151 and AR8152 (Closes: #599771)
   * [x86] KVM: Fix fs/gs reload oops with invalid ldt (CVE-2010-3698)
+  * gdth: Fix integer overflow in ioctl (CVE-2010-4157)
 
   [ dann frazier ]
   * [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch	Sat Nov 20 18:30:46 2010	(r16575)
@@ -0,0 +1,43 @@
+From f63ae56e4e97fb12053590e41a4fa59e7daa74a4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27 at gmail.com>
+Date: Fri, 8 Oct 2010 09:03:07 +0200
+Subject: [SCSI] gdth: integer overflow in ioctl
+
+From: Dan Carpenter <error27 at gmail.com>
+
+commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.
+
+gdth_ioctl_alloc() takes the size variable as an int.
+copy_from_user() takes the size variable as an unsigned long.
+gen.data_len and gen.sense_len are unsigned longs.
+On x86_64 longs are 64 bit and ints are 32 bit.
+
+We could pass in a very large number and the allocation would truncate
+the size to 32 bits and allocate a small buffer.  Then when we do the
+copy_from_user(), it would result in a memory corruption.
+
+Signed-off-by: Dan Carpenter <error27 at gmail.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/scsi/gdth.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4174,6 +4174,14 @@ static int ioc_general(void __user *arg,
+     ha = gdth_find_ha(gen.ionode);
+     if (!ha)
+         return -EFAULT;
++
++    if (gen.data_len > INT_MAX)
++        return -EINVAL;
++    if (gen.sense_len > INT_MAX)
++        return -EINVAL;
++    if (gen.data_len + gen.sense_len > INT_MAX)
++        return -EINVAL;
++
+     if (gen.data_len + gen.sense_len != 0) {
+         if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
+                                      FALSE, &paddr)))

Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28	Sat Nov 20 18:25:15 2010	(r16574)
+++ dists/sid/linux-2.6/debian/patches/series/28	Sat Nov 20 18:30:46 2010	(r16575)
@@ -48,3 +48,4 @@
 + features/all/atl1c-Add-support-for-Atheros-AR8152-and-AR8152.patch
 + bugfix/all/atl1c-Fix-hardware-type-check-for-enabling-OTP-CLK.patch
 + bugfix/x86/KVM-Fix-fs-gs-reload-oops-with-invalid-ldt.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch

