[kernel] r17983 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Aug 21 22:00:07 UTC 2011 

Author: dannf
Date: Sun Aug 21 22:00:05 2011
New Revision: 17983

Log:
Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
      - copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny4

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Aug 21 21:57:56 2011	(r17982)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Aug 21 22:00:05 2011	(r17983)
@@ -6,6 +6,7 @@
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
   * proc: restrict access to /proc/PID/io (CVE-2011-2495)
   * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+  * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
 
   [ Moritz Muehlenhoff ]
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch	Sun Aug 21 22:00:05 2011	(r17983, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Jun 24 08:38:05 2011 -0400
+
+    Bluetooth: Prevent buffer overflow in l2cap config request
+    
+    A remote user can provide a small value for the command size field in
+    the command header of an l2cap configuration request, resulting in an
+    integer underflow when subtracting the size of the configuration request
+    header.  This results in copying a very large amount of data via
+    memcpy() and destroying the kernel heap.  Check for underflow.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Sun Aug 21 21:57:56 2011	(r17982)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Sun Aug 21 22:00:05 2011	(r17983)
@@ -10,3 +10,4 @@
 + bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch

More information about the Kernel-svn-changes mailing list