[kernel] r16484 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:21:10 UTC 2010
Author: dannf
Date: Mon Oct 25 02:21:07 2010
New Revision: 16484
Log:
Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:20:58 2010 (r16483)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:21:07 2010 (r16484)
@@ -6,6 +6,7 @@
* eql: prevent reading uninitialized stack memory (CVE-2010-3297)
* rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
* sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
+ * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch Mon Oct 25 02:21:07 2010 (r16484)
@@ -0,0 +1,34 @@
+commit 20176a70251000e8d0cb2138ba2f9bd607739c34
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon Sep 27 12:30:28 2010 -0400
+
+ Fix pktcdvd ioctl dev_minor range check
+
+ The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+ pktcdvd_device from the global pkt_devs array. The index into this
+ array is provided directly by the user and is a signed integer, so the
+ comparison to ensure that it falls within the bounds of this array will
+ fail when provided with a negative index.
+
+ This can be used to read arbitrary kernel memory or cause a crash due to
+ an invalid pointer dereference. This can be exploited by users with
+ permission to open /dev/pktcdvd/control (on many distributions, this is
+ readable by group "cdrom").
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ [ Rather than add a cast, just make the function take the right type -Linus ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index 3ba1df9..7f0734b 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2405,7 +2405,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
+ pkt_shrink_pktlist(pd);
+ }
+
+-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
++static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
+ {
+ if (dev_minor >= MAX_WRITERS)
+ return NULL;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:20:58 2010 (r16483)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:21:07 2010 (r16484)
@@ -4,3 +4,4 @@
+ bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
+ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
+ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
More information about the Kernel-svn-changes
mailing list