[kernel] r16480 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:20:24 UTC 2010
Author: dannf
Date: Mon Oct 25 02:19:53 2010
New Revision: 16480
Log:
cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:19:20 2010 (r16479)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:19:53 2010 (r16480)
@@ -2,6 +2,7 @@
* net sched: fix kernel leak in act_police (CVE-2010-3477)
* aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
+ * cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch Mon Oct 25 02:19:53 2010 (r16480)
@@ -0,0 +1,30 @@
+commit a10473c752b8aeb945c7b551560172038ccb4848
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 11:43:12 2010 +0000
+
+ drivers/net/cxgb3/cxgb3_main.c: prevent reading uninitialized stack memory
+
+ Fixed formatting (tabs and line breaks).
+
+ The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read
+ 4 bytes of uninitialized stack memory, because the "addr" member of the
+ ch_reg struct declared on the stack in cxgb_extension_ioctl() is not
+ altered or zeroed before being copied back to the user. This patch
+ takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/cxgb3/cxgb3_main.c b/drivers/net/cxgb3/cxgb3_main.c
+index 3a31272..95f913e 100644
+--- a/drivers/net/cxgb3/cxgb3_main.c
++++ b/drivers/net/cxgb3/cxgb3_main.c
+@@ -1890,6 +1890,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ case CHELSIO_GET_QSET_NUM:{
+ struct ch_reg edata;
+
++ memset(&edata, 0, sizeof(struct ch_reg));
++
+ edata.cmd = CHELSIO_GET_QSET_NUM;
+ edata.val = pi->nqsets;
+ if (copy_to_user(useraddr, &edata, sizeof(edata)))
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:19:20 2010 (r16479)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:19:53 2010 (r16480)
@@ -1,2 +1,3 @@
+ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
+ bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
++ bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
More information about the Kernel-svn-changes
mailing list