[kernel] r17911 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Moritz Muehlenhoff jmm at alioth.debian.org
Thu Aug 11 18:51:42 UTC 2011 

Author: jmm
Date: Thu Aug 11 18:51:41 2011
New Revision: 17911

Log:
CVE-2011-2700 for Squeeze

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 18:42:32 2011	(r17910)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 18:51:41 2011	(r17911)
@@ -1,11 +1,15 @@
 linux-2.6 (2.6.32-35squeeze1) UNRELEASED; urgency=high
 
+  [ dann frazier ]
   * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
   * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
   * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
   * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
 
+  [ Moritz Muehlenhoff ]
+  * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
+
  -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:31:53 -0600
 
 linux-2.6 (2.6.32-35) stable; urgency=high

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch	Thu Aug 11 18:51:41 2011	(r17911)
@@ -0,0 +1,43 @@
+From: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Sun, 17 Jul 2011 03:24:37 +0000 (-0300)
+Subject: si4713-i2c: avoid potential buffer overflow on si4713
+X-Git-Tag: v3.0~16
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6
+
+si4713-i2c: avoid potential buffer overflow on si4713
+
+While compiling it with Fedora 15, I noticed this issue:
+
+  inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
+  arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct
+
+Cc: stable at kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Acked-by: Sakari Ailus <sakari.ailus at maxwell.research.nokia.com>
+Acked-by: Eduardo Valentin <edubezval at gmail.com>
+Reviewed-by: Eugene Teo <eugeneteo at kernel.sg>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
+index deca2e0..c9f4a8e 100644
+--- a/drivers/media/radio/si4713-i2c.c
++++ b/drivers/media/radio/si4713-i2c.c
+@@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
+ 		char ps_name[MAX_RDS_PS_NAME + 1];
+ 
+ 		len = control->size - 1;
+-		if (len > MAX_RDS_PS_NAME) {
++		if (len < 0 || len > MAX_RDS_PS_NAME) {
+ 			rval = -ERANGE;
+ 			goto exit;
+ 		}
+@@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
+ 		char radio_text[MAX_RDS_RADIO_TEXT + 1];
+ 
+ 		len = control->size - 1;
+-		if (len > MAX_RDS_RADIO_TEXT) {
++		if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
+ 			rval = -ERANGE;
+ 			goto exit;
+ 		}

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 18:42:32 2011	(r17910)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 18:51:41 2011	(r17911)
@@ -4,3 +4,4 @@
 + bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
 + debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
 + bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
++ bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch

More information about the Kernel-svn-changes mailing list