[kernel] r16262 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Sep 10 01:22:52 UTC 2010 

Author: dannf
Date: Fri Sep 10 01:22:49 2010
New Revision: 16262

Log:
irda: Correctly clean up self->ias_obj on irda_bind() failure. (CVE-2010-2954)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny1
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Sep 10 01:08:49 2010	(r16261)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Sep 10 01:22:49 2010	(r16262)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.26-25lenny1) UNRELEASED; urgency=high
+
+  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
+    (CVE-2010-2954)
+
+ -- dann frazier <dannf at debian.org>  Thu, 09 Sep 2010 19:11:27 -0600
+
 linux-2.6 (2.6.26-25) stable; urgency=high
 
   [ Ben Hutchings ]

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch	Fri Sep 10 01:22:49 2010	(r16262)
@@ -0,0 +1,35 @@
+commit 7fd526535d7e6134ec40c2a48d5f42463bee6622
+Author: David S. Miller <davem at davemloft.net>
+Date:   Mon Aug 30 18:35:24 2010 -0700
+
+    irda: Correctly clean up self->ias_obj on irda_bind() failure.
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    If irda_open_tsap() fails, the irda_bind() code tries to destroy
+    the ->ias_obj object by hand, but does so wrongly.
+    
+    In particular, it fails to a) release the hashbin attached to the
+    object and b) reset the self->ias_obj pointer to NULL.
+    
+    Fix both problems by using irias_delete_object() and explicitly
+    setting self->ias_obj to NULL, just as irda_release() does.
+    
+    Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b28409c..ca31e1d 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -809,8 +809,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 
+ 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ 	if (err < 0) {
+-		kfree(self->ias_obj->name);
+-		kfree(self->ias_obj);
++		irias_delete_object(self->ias_obj);
++		self->ias_obj = NULL;
+ 		return err;
+ 	}
+ 

Added: dists/lenny-security/linux-2.6/debian/patches/series/25lenny1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny1	Fri Sep 10 01:22:49 2010	(r16262)
@@ -0,0 +1 @@
++ bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch

More information about the Kernel-svn-changes mailing list