[kernel] r16480 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Oct 25 02:20:24 UTC 2010 

Author: dannf
Date: Mon Oct 25 02:19:53 2010
New Revision: 16480

Log:
cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:19:20 2010	(r16479)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:19:53 2010	(r16480)
@@ -2,6 +2,7 @@
 
   * net sched: fix kernel leak in act_police (CVE-2010-3477)
   * aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
+  * cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch	Mon Oct 25 02:19:53 2010	(r16480)
@@ -0,0 +1,30 @@
+commit a10473c752b8aeb945c7b551560172038ccb4848
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Wed Sep 15 11:43:12 2010 +0000
+
+    drivers/net/cxgb3/cxgb3_main.c: prevent reading uninitialized stack memory
+    
+    Fixed formatting (tabs and line breaks).
+    
+    The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read
+    4 bytes of uninitialized stack memory, because the "addr" member of the
+    ch_reg struct declared on the stack in cxgb_extension_ioctl() is not
+    altered or zeroed before being copied back to the user.  This patch
+    takes care of it.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/cxgb3/cxgb3_main.c b/drivers/net/cxgb3/cxgb3_main.c
+index 3a31272..95f913e 100644
+--- a/drivers/net/cxgb3/cxgb3_main.c
++++ b/drivers/net/cxgb3/cxgb3_main.c
+@@ -1890,6 +1890,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ 	case CHELSIO_GET_QSET_NUM:{
+ 		struct ch_reg edata;
+ 
++		memset(&edata, 0, sizeof(struct ch_reg));
++
+ 		edata.cmd = CHELSIO_GET_QSET_NUM;
+ 		edata.val = pi->nqsets;
+ 		if (copy_to_user(useraddr, &edata, sizeof(edata)))

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:19:20 2010	(r16479)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:19:53 2010	(r16480)
@@ -1,2 +1,3 @@
 + bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
 + bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
++ bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch

More information about the Kernel-svn-changes mailing list