[kernel] r16587 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Nov 21 01:29:52 UTC 2010

Author: dannf
Date: Sun Nov 21 01:29:50 2010
New Revision: 16587

Log:
[SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:25:31 2010	(r16586)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:29:50 2010	(r16587)
@@ -33,6 +33,7 @@
   * ipc: initialize structure memory to zero for compat functions
     (CVE-2010-4073)
   * USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
+  * [SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch	Sun Nov 21 01:29:50 2010	(r16587)
@@ -0,0 +1,38 @@
+commit 544a3052a7c5a0b21776d78b6773d6ad28d5434c
+Author: Dan Carpenter <error27 at gmail.com>
+Date:   Fri Oct 8 09:03:07 2010 +0200
+
+    [SCSI] gdth: integer overflow in ioctl
+    
+    gdth_ioctl_alloc() takes the size variable as an int.
+    copy_from_user() takes the size variable as an unsigned long.
+    gen.data_len and gen.sense_len are unsigned longs.
+    On x86_64 longs are 64 bit and ints are 32 bit.
+    
+    We could pass in a very large number and the allocation would truncate
+    the size to 32 bits and allocate a small buffer.  Then when we do the
+    copy_from_user(), it would result in a memory corruption.
+    
+    CC: stable at kernel.org
+    Signed-off-by: Dan Carpenter <error27 at gmail.com>
+    Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+
+diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
+index 31b78d8..2c61f82 100644
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4152,6 +4152,14 @@ static int ioc_general(void __user *arg, char *cmnd)
+     ha = gdth_find_ha(gen.ionode);
+     if (!ha)
+         return -EFAULT;
++
++    if (gen.data_len > INT_MAX)
++        return -EINVAL;
++    if (gen.sense_len > INT_MAX)
++        return -EINVAL;
++    if (gen.data_len + gen.sense_len > INT_MAX)
++        return -EINVAL;
++
+     if (gen.data_len + gen.sense_len != 0) {
+         if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
+                                      FALSE, &paddr)))

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:25:31 2010	(r16586)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:29:50 2010	(r16587)
@@ -26,3 +26,4 @@
 + bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
 + bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
 + bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch

