[kernel] r17915 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 12 01:38:31 UTC 2011
Author: dannf
Date: Fri Aug 12 01:38:30 2011
New Revision: 17915
Log:
Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 01:36:09 2011 (r17914)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 01:38:30 2011 (r17915)
@@ -8,6 +8,7 @@
* Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
* proc: restrict access to /proc/PID/io (CVE-2011-2495)
* vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+ * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch Fri Aug 12 01:38:30 2011 (r17915)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Jun 24 08:38:05 2011 -0400
+
+ Bluetooth: Prevent buffer overflow in l2cap config request
+
+ A remote user can provide a small value for the command size field in
+ the command header of an l2cap configuration request, resulting in an
+ integer underflow when subtracting the size of the configuration request
+ header. This results in copying a very large amount of data via
+ memcpy() and destroying the kernel heap. Check for underflow.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 01:36:09 2011 (r17914)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 01:38:30 2011 (r17915)
@@ -8,3 +8,4 @@
+ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
More information about the Kernel-svn-changes
mailing list