[kernel] r16949 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Feb 28 04:15:26 UTC 2011
Author: benh
Date: Mon Feb 28 04:15:11 2011
New Revision: 16949
Log:
iowarrior: Don't trust report_size for buffer size (CVE-2010-4656)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/31
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Mon Feb 28 04:05:25 2011 (r16948)
+++ dists/squeeze/linux-2.6/debian/changelog Mon Feb 28 04:15:11 2011 (r16949)
@@ -33,6 +33,7 @@
- Add schedule check to napi_enable call
* af_unix: Limit recursion level of passing sockets through sockets
(variant of CVE-2010-4249)
+ * iowarrior: Don't trust report_size for buffer size (CVE-2010-4656)
[ dann frazier ]
* xfs: fix information leak using stale NFS handle (CVE-2010-2943)
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch Mon Feb 28 04:15:11 2011 (r16949)
@@ -0,0 +1,33 @@
+From: Kees Cook <kees.cook at canonical.com>
+Date: Mon, 11 Oct 2010 11:28:16 -0700
+Subject: [PATCH] usb: iowarrior: don't trust report_size for buffer size
+
+commit 3ed780117dbe5acb64280d218f0347f238dafed0 upstream.
+
+If the iowarrior devices in this case statement support more than 8 bytes
+per report, it is possible to write past the end of a kernel heap allocation.
+This will probably never be possible, but change the allocation to be more
+defensive anyway.
+
+Signed-off-by: Kees Cook <kees.cook at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/usb/misc/iowarrior.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index bc88c79..8ed8d05 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
+ case USB_DEVICE_ID_CODEMERCS_IOWPV2:
+ case USB_DEVICE_ID_CODEMERCS_IOW40:
+ /* IOW24 and IOW40 use a synchronous call */
+- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
++ buf = kmalloc(count, GFP_KERNEL);
+ if (!buf) {
+ retval = -ENOMEM;
+ goto exit;
+--
+1.7.4.1
+
Modified: dists/squeeze/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/31 Mon Feb 28 04:05:25 2011 (r16948)
+++ dists/squeeze/linux-2.6/debian/patches/series/31 Mon Feb 28 04:15:11 2011 (r16949)
@@ -38,3 +38,4 @@
+ bugfix/all/revert-USB-prevent-buggy-hubs-from-crashing-the-USB.patch
+ bugfix/all/af_unix-limit-recursion-level.patch
+ debian/af_unix-Avoid-ABI-change-from-introduction-of-recursion-limit.patch
++ bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
More information about the Kernel-svn-changes
mailing list