[kernel] r16439 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 06:42:46 UTC 2010
Author: dannf
Date: Thu Oct 14 06:42:42 2010
New Revision: 16439
Log:
Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:38:14 2010 (r16438)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:42:42 2010 (r16439)
@@ -37,6 +37,7 @@
* net sched: fix some kernel memory leaks (CVE-2010-2942)
* niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
* rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
+ * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
-- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch Thu Oct 14 06:42:42 2010 (r16439)
@@ -0,0 +1,23 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 252a52aa4fa22a668f019e55b3aac3ff71ec1c29
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon Sep 27 12:30:28 2010 -0400
+
+ Fix pktcdvd ioctl dev_minor range check
+
+ The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+ pktcdvd_device from the global pkt_devs array. The index into this
+ array is provided directly by the user and is a signed integer, so the
+ comparison to ensure that it falls within the bounds of this array will
+ fail when provided with a negative index.
+
+ This can be used to read arbitrary kernel memory or cause a crash due to
+ an invalid pointer dereference. This can be exploited by users with
+ permission to open /dev/pktcdvd/control (on many distributions, this is
+ readable by group "cdrom").
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ [ Rather than add a cast, just make the function take the right type -Linus ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:38:14 2010 (r16438)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:42:42 2010 (r16439)
@@ -27,3 +27,4 @@
+ bugfix/all/net-sched-fix-some-memory-leaks.patch
+ bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
+ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
More information about the Kernel-svn-changes
mailing list