[kernel] r17915 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Aug 12 01:38:31 UTC 2011 

Author: dannf
Date: Fri Aug 12 01:38:30 2011
New Revision: 17915

Log:
Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Fri Aug 12 01:36:09 2011	(r17914)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Fri Aug 12 01:38:30 2011	(r17915)
@@ -8,6 +8,7 @@
   * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
   * proc: restrict access to /proc/PID/io (CVE-2011-2495)
   * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+  * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch	Fri Aug 12 01:38:30 2011	(r17915)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Jun 24 08:38:05 2011 -0400
+
+    Bluetooth: Prevent buffer overflow in l2cap config request
+    
+    A remote user can provide a small value for the command size field in
+    the command header of an l2cap configuration request, resulting in an
+    integer underflow when subtracting the size of the configuration request
+    header.  This results in copying a very large amount of data via
+    memcpy() and destroying the kernel heap.  Check for underflow.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Fri Aug 12 01:36:09 2011	(r17914)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Fri Aug 12 01:38:30 2011	(r17915)
@@ -8,3 +8,4 @@
 + bugfix/all/proc-restrict-access-to-proc-pid-io.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch

More information about the Kernel-svn-changes mailing list