[kernel] r16263 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Sep 10 01:24:34 UTC 2010
Author: dannf
Date: Fri Sep 10 01:24:31 2010
New Revision: 16263
Log:
irda: Correctly clean up self->ias_obj on irda_bind() failure. (CVE-2010-2954)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/22
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri Sep 10 01:22:49 2010 (r16262)
+++ dists/sid/linux-2.6/debian/changelog Fri Sep 10 01:24:31 2010 (r16263)
@@ -66,6 +66,8 @@
[ dann frazier ]
* netxen_nic: add support for loading unified firmware images
+ * irda: Correctly clean up self->ias_obj on irda_bind() failure.
+ (CVE-2010-2954)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 27 Aug 2010 08:38:26 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch Fri Sep 10 01:24:31 2010 (r16263)
@@ -0,0 +1,35 @@
+commit 7fd526535d7e6134ec40c2a48d5f42463bee6622
+Author: David S. Miller <davem at davemloft.net>
+Date: Mon Aug 30 18:35:24 2010 -0700
+
+ irda: Correctly clean up self->ias_obj on irda_bind() failure.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ If irda_open_tsap() fails, the irda_bind() code tries to destroy
+ the ->ias_obj object by hand, but does so wrongly.
+
+ In particular, it fails to a) release the hashbin attached to the
+ object and b) reset the self->ias_obj pointer to NULL.
+
+ Fix both problems by using irias_delete_object() and explicitly
+ setting self->ias_obj to NULL, just as irda_release() does.
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b28409c..ca31e1d 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -809,8 +809,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+
+ err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ if (err < 0) {
+- kfree(self->ias_obj->name);
+- kfree(self->ias_obj);
++ irias_delete_object(self->ias_obj);
++ self->ias_obj = NULL;
+ return err;
+ }
+
Modified: dists/sid/linux-2.6/debian/patches/series/22
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/22 Fri Sep 10 01:22:49 2010 (r16262)
+++ dists/sid/linux-2.6/debian/patches/series/22 Fri Sep 10 01:24:31 2010 (r16263)
@@ -118,3 +118,4 @@
+ bugfix/all/brcm80211-Fix-some-initialisation-failure-paths.patch
- features/all/r8169-rtl8168d-1-2-request_firmware-2.patch
+ features/all/r8169-rtl8168d-1-2-request_firmware-3.patch
++ bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
More information about the Kernel-svn-changes
mailing list