[kernel] r16263 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Fri Sep 10 01:24:34 UTC 2010

Author: dannf
Date: Fri Sep 10 01:24:31 2010
New Revision: 16263

Log:
irda: Correctly clean up self->ias_obj on irda_bind() failure. (CVE-2010-2954)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/22

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Fri Sep 10 01:22:49 2010	(r16262)
+++ dists/sid/linux-2.6/debian/changelog	Fri Sep 10 01:24:31 2010	(r16263)
@@ -66,6 +66,8 @@
 
   [ dann frazier ]
   * netxen_nic: add support for loading unified firmware images
+  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
+    (CVE-2010-2954)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 27 Aug 2010 08:38:26 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch	Fri Sep 10 01:24:31 2010	(r16263)
@@ -0,0 +1,35 @@
+commit 7fd526535d7e6134ec40c2a48d5f42463bee6622
+Author: David S. Miller <davem at davemloft.net>
+Date:   Mon Aug 30 18:35:24 2010 -0700
+
+    irda: Correctly clean up self->ias_obj on irda_bind() failure.
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    If irda_open_tsap() fails, the irda_bind() code tries to destroy
+    the ->ias_obj object by hand, but does so wrongly.
+    
+    In particular, it fails to a) release the hashbin attached to the
+    object and b) reset the self->ias_obj pointer to NULL.
+    
+    Fix both problems by using irias_delete_object() and explicitly
+    setting self->ias_obj to NULL, just as irda_release() does.
+    
+    Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b28409c..ca31e1d 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -809,8 +809,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 
+ 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ 	if (err < 0) {
+-		kfree(self->ias_obj->name);
+-		kfree(self->ias_obj);
++		irias_delete_object(self->ias_obj);
++		self->ias_obj = NULL;
+ 		return err;
+ 	}
+ 

Modified: dists/sid/linux-2.6/debian/patches/series/22
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/22	Fri Sep 10 01:22:49 2010	(r16262)
+++ dists/sid/linux-2.6/debian/patches/series/22	Fri Sep 10 01:24:31 2010	(r16263)
@@ -118,3 +118,4 @@
 + bugfix/all/brcm80211-Fix-some-initialisation-failure-paths.patch
 - features/all/r8169-rtl8168d-1-2-request_firmware-2.patch
 + features/all/r8169-rtl8168d-1-2-request_firmware-3.patch
++ bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch

