[kernel] r16930 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Feb 21 19:55:23 UTC 2011 

Author: dannf
Date: Mon Feb 21 19:55:17 2011
New Revision: 16930

Log:
CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/31

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Mon Feb 21 19:55:00 2011	(r16929)
+++ dists/squeeze/linux-2.6/debian/changelog	Mon Feb 21 19:55:17 2011	(r16930)
@@ -35,6 +35,7 @@
   * xfs: fix information leak using stale NFS handle (CVE-2010-2943)
   * av7110: check for negative array offset (CVE-2011-0521)
   * s390: remove task_show_regs (CVE-2011-0710)
+  * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
 
   [ maximilian attems]
   * Update openvz patch to 07aaa2e9fb25 (ipv6, checkpointing, stability,

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch	Mon Feb 21 19:55:17 2011	(r16930)
@@ -0,0 +1,38 @@
+commit 9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Sun Dec 26 06:54:53 2010 +0000
+
+    CAN: Use inode instead of kernel address for /proc file
+    
+    Since the socket address is just being used as a unique identifier, its
+    inode number is an alternative that does not leak potentially sensitive
+    information.
+    
+    CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 6faa825..9d5e8ac 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -125,7 +125,7 @@ struct bcm_sock {
+ 	struct list_head tx_ops;
+ 	unsigned long dropped_usr_msgs;
+ 	struct proc_dir_entry *bcm_proc_read;
+-	char procname [20]; /* pointer printed in ASCII with \0 */
++	char procname [32]; /* inode number in decimal with \0 */
+ };
+ 
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+@@ -1521,7 +1521,7 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
+ 
+ 	if (proc_dir) {
+ 		/* unique socket address as filename */
+-		sprintf(bo->procname, "%p", sock);
++		sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ 		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
+ 						     proc_dir,
+ 						     &bcm_proc_fops, sk);

Modified: dists/squeeze/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 21 19:55:00 2011	(r16929)
+++ dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 21 19:55:17 2011	(r16930)
@@ -34,3 +34,4 @@
 + bugfix/all/virtio_net-Add-schedule-check-to-napi_enable-call.patch
 + debian/revert-radio-aimslab-gcc4.5-fix-in-2.6.32.29.patch
 + bugfix/s390/remove-task_show_regs.patch
++ bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch

More information about the Kernel-svn-changes mailing list