[kernel] r16587 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Nov 21 01:29:52 UTC 2010
Author: dannf
Date: Sun Nov 21 01:29:50 2010
New Revision: 16587
Log:
[SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 01:25:31 2010 (r16586)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 01:29:50 2010 (r16587)
@@ -33,6 +33,7 @@
* ipc: initialize structure memory to zero for compat functions
(CVE-2010-4073)
* USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
+ * [SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch Sun Nov 21 01:29:50 2010 (r16587)
@@ -0,0 +1,38 @@
+commit 544a3052a7c5a0b21776d78b6773d6ad28d5434c
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Fri Oct 8 09:03:07 2010 +0200
+
+ [SCSI] gdth: integer overflow in ioctl
+
+ gdth_ioctl_alloc() takes the size variable as an int.
+ copy_from_user() takes the size variable as an unsigned long.
+ gen.data_len and gen.sense_len are unsigned longs.
+ On x86_64 longs are 64 bit and ints are 32 bit.
+
+ We could pass in a very large number and the allocation would truncate
+ the size to 32 bits and allocate a small buffer. Then when we do the
+ copy_from_user(), it would result in a memory corruption.
+
+ CC: stable at kernel.org
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+ Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+
+diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
+index 31b78d8..2c61f82 100644
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4152,6 +4152,14 @@ static int ioc_general(void __user *arg, char *cmnd)
+ ha = gdth_find_ha(gen.ionode);
+ if (!ha)
+ return -EFAULT;
++
++ if (gen.data_len > INT_MAX)
++ return -EINVAL;
++ if (gen.sense_len > INT_MAX)
++ return -EINVAL;
++ if (gen.data_len + gen.sense_len > INT_MAX)
++ return -EINVAL;
++
+ if (gen.data_len + gen.sense_len != 0) {
+ if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
+ FALSE, &paddr)))
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 01:25:31 2010 (r16586)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 01:29:50 2010 (r16587)
@@ -26,3 +26,4 @@
+ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
+ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
+ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch
More information about the Kernel-svn-changes
mailing list