[kernel] r16439 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Oct 14 06:42:46 UTC 2010 

Author: dannf
Date: Thu Oct 14 06:42:42 2010
New Revision: 16439

Log:
Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:38:14 2010	(r16438)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:42:42 2010	(r16439)
@@ -37,6 +37,7 @@
   * net sched: fix some kernel memory leaks (CVE-2010-2942)
   * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
+  * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
 
  -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch	Thu Oct 14 06:42:42 2010	(r16439)
@@ -0,0 +1,23 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 252a52aa4fa22a668f019e55b3aac3ff71ec1c29
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Mon Sep 27 12:30:28 2010 -0400
+
+    Fix pktcdvd ioctl dev_minor range check
+    
+    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+    pktcdvd_device from the global pkt_devs array.  The index into this
+    array is provided directly by the user and is a signed integer, so the
+    comparison to ensure that it falls within the bounds of this array will
+    fail when provided with a negative index.
+    
+    This can be used to read arbitrary kernel memory or cause a crash due to
+    an invalid pointer dereference.  This can be exploited by users with
+    permission to open /dev/pktcdvd/control (on many distributions, this is
+    readable by group "cdrom").
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    [ Rather than add a cast, just make the function take the right type -Linus ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:38:14 2010	(r16438)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:42:42 2010	(r16439)
@@ -27,3 +27,4 @@
 + bugfix/all/net-sched-fix-some-memory-leaks.patch
 + bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch

More information about the Kernel-svn-changes mailing list