[kernel] r16437 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Oct 14 06:33:47 UTC 2010

Author: dannf
Date: Thu Oct 14 06:33:37 2010
New Revision: 16437

Log:
niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 05:52:59 2010	(r16436)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:33:37 2010	(r16437)
@@ -35,6 +35,7 @@
   * GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
   * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
   * net sched: fix some kernel memory leaks (CVE-2010-2942)
+  * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
 
  -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch	Thu Oct 14 06:33:37 2010	(r16437)
@@ -0,0 +1,65 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9
+Author: Ben Hutchings <bhutchings at solarflare.com>
+Date:   Tue Sep 7 04:35:19 2010 +0000
+
+    niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
+    
+    niu_get_ethtool_tcam_all() assumes that its output buffer is the right
+    size, and warns before returning if it is not.  However, the output
+    buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
+    unprivileged ethtool command.  Therefore this is at least a local
+    denial-of-service vulnerability.
+    
+    Change it to check before writing each entry and to return an error if
+    the buffer is already full.
+    
+    Compile-tested only.
+    
+    Signed-off-by: Ben Hutchings <bhutchings at solarflare.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff -urpN a/drivers/net/niu.c b/drivers/net/niu.c
+--- a/drivers/net/niu.c	2009-12-02 20:51:21.000000000 -0700
++++ b/drivers/net/niu.c	2010-10-14 00:28:10.033159817 -0600
+@@ -7315,33 +7315,28 @@ static int niu_get_ethtool_tcam_all(stru
+ 	struct niu_parent *parent = np->parent;
+ 	struct niu_tcam_entry *tp;
+ 	int i, idx, cnt;
+-	u16 n_entries;
+ 	unsigned long flags;
+-
++	int ret = 0;
+ 
+ 	/* put the tcam size here */
+ 	nfc->data = tcam_get_size(np);
+ 
+ 	niu_lock_parent(np, flags);
+-	n_entries = nfc->rule_cnt;
+ 	for (cnt = 0, i = 0; i < nfc->data; i++) {
+ 		idx = tcam_get_index(np, i);
+ 		tp = &parent->tcam[idx];
+ 		if (!tp->valid)
+ 			continue;
++		if (cnt == nfc->rule_cnt) {
++			ret = -EMSGSIZE;
++			break;
++		}
+ 		rule_locs[cnt] = i;
+ 		cnt++;
+ 	}
+ 	niu_unlock_parent(np, flags);
+ 
+-	if (n_entries != cnt) {
+-		/* print warning, this should not happen */
+-		pr_info(PFX "niu%d: %s In niu_get_ethtool_tcam_all, "
+-			"n_entries[%d] != cnt[%d]!!!\n\n",
+-			np->parent->index, np->dev->name, n_entries, cnt);
+-	}
+-
+-	return 0;
++	return ret;
+ }
+ 
+ static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd,

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 05:52:59 2010	(r16436)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:33:37 2010	(r16437)
@@ -25,3 +25,4 @@
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove-2.patch
 + bugfix/all/act_nat-use-stack-variable.patch
 + bugfix/all/net-sched-fix-some-memory-leaks.patch
++ bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch

