[kernel] r16437 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 06:33:47 UTC 2010
Author: dannf
Date: Thu Oct 14 06:33:37 2010
New Revision: 16437
Log:
niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 05:52:59 2010 (r16436)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:33:37 2010 (r16437)
@@ -35,6 +35,7 @@
* GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
* hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
* net sched: fix some kernel memory leaks (CVE-2010-2942)
+ * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
-- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch Thu Oct 14 06:33:37 2010 (r16437)
@@ -0,0 +1,65 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9
+Author: Ben Hutchings <bhutchings at solarflare.com>
+Date: Tue Sep 7 04:35:19 2010 +0000
+
+ niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
+
+ niu_get_ethtool_tcam_all() assumes that its output buffer is the right
+ size, and warns before returning if it is not. However, the output
+ buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
+ unprivileged ethtool command. Therefore this is at least a local
+ denial-of-service vulnerability.
+
+ Change it to check before writing each entry and to return an error if
+ the buffer is already full.
+
+ Compile-tested only.
+
+ Signed-off-by: Ben Hutchings <bhutchings at solarflare.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff -urpN a/drivers/net/niu.c b/drivers/net/niu.c
+--- a/drivers/net/niu.c 2009-12-02 20:51:21.000000000 -0700
++++ b/drivers/net/niu.c 2010-10-14 00:28:10.033159817 -0600
+@@ -7315,33 +7315,28 @@ static int niu_get_ethtool_tcam_all(stru
+ struct niu_parent *parent = np->parent;
+ struct niu_tcam_entry *tp;
+ int i, idx, cnt;
+- u16 n_entries;
+ unsigned long flags;
+-
++ int ret = 0;
+
+ /* put the tcam size here */
+ nfc->data = tcam_get_size(np);
+
+ niu_lock_parent(np, flags);
+- n_entries = nfc->rule_cnt;
+ for (cnt = 0, i = 0; i < nfc->data; i++) {
+ idx = tcam_get_index(np, i);
+ tp = &parent->tcam[idx];
+ if (!tp->valid)
+ continue;
++ if (cnt == nfc->rule_cnt) {
++ ret = -EMSGSIZE;
++ break;
++ }
+ rule_locs[cnt] = i;
+ cnt++;
+ }
+ niu_unlock_parent(np, flags);
+
+- if (n_entries != cnt) {
+- /* print warning, this should not happen */
+- pr_info(PFX "niu%d: %s In niu_get_ethtool_tcam_all, "
+- "n_entries[%d] != cnt[%d]!!!\n\n",
+- np->parent->index, np->dev->name, n_entries, cnt);
+- }
+-
+- return 0;
++ return ret;
+ }
+
+ static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 05:52:59 2010 (r16436)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:33:37 2010 (r16437)
@@ -25,3 +25,4 @@
+ bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove-2.patch
+ bugfix/all/act_nat-use-stack-variable.patch
+ bugfix/all/net-sched-fix-some-memory-leaks.patch
++ bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
More information about the Kernel-svn-changes
mailing list