[kernel] r16484 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Oct 25 02:21:10 UTC 2010 

Author: dannf
Date: Mon Oct 25 02:21:07 2010
New Revision: 16484

Log:
Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:20:58 2010	(r16483)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:21:07 2010	(r16484)
@@ -6,6 +6,7 @@
   * eql: prevent reading uninitialized stack memory (CVE-2010-3297)
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
   * sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
+  * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch	Mon Oct 25 02:21:07 2010	(r16484)
@@ -0,0 +1,34 @@
+commit 20176a70251000e8d0cb2138ba2f9bd607739c34
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Mon Sep 27 12:30:28 2010 -0400
+
+    Fix pktcdvd ioctl dev_minor range check
+    
+    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+    pktcdvd_device from the global pkt_devs array.  The index into this
+    array is provided directly by the user and is a signed integer, so the
+    comparison to ensure that it falls within the bounds of this array will
+    fail when provided with a negative index.
+    
+    This can be used to read arbitrary kernel memory or cause a crash due to
+    an invalid pointer dereference.  This can be exploited by users with
+    permission to open /dev/pktcdvd/control (on many distributions, this is
+    readable by group "cdrom").
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    [ Rather than add a cast, just make the function take the right type -Linus ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index 3ba1df9..7f0734b 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2405,7 +2405,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
+ 	pkt_shrink_pktlist(pd);
+ }
+ 
+-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
++static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
+ {
+ 	if (dev_minor >= MAX_WRITERS)
+ 		return NULL;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:20:58 2010	(r16483)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:21:07 2010	(r16484)
@@ -4,3 +4,4 @@
 + bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
 + bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch

More information about the Kernel-svn-changes mailing list