[kernel] r16949 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Mon Feb 28 04:15:26 UTC 2011 

Author: benh
Date: Mon Feb 28 04:15:11 2011
New Revision: 16949

Log:
iowarrior: Don't trust report_size for buffer size (CVE-2010-4656)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/31

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Mon Feb 28 04:05:25 2011	(r16948)
+++ dists/squeeze/linux-2.6/debian/changelog	Mon Feb 28 04:15:11 2011	(r16949)
@@ -33,6 +33,7 @@
     - Add schedule check to napi_enable call
   * af_unix: Limit recursion level of passing sockets through sockets
     (variant of CVE-2010-4249)
+  * iowarrior: Don't trust report_size for buffer size (CVE-2010-4656)
 
   [ dann frazier ]
   * xfs: fix information leak using stale NFS handle (CVE-2010-2943)

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch	Mon Feb 28 04:15:11 2011	(r16949)
@@ -0,0 +1,33 @@
+From: Kees Cook <kees.cook at canonical.com>
+Date: Mon, 11 Oct 2010 11:28:16 -0700
+Subject: [PATCH] usb: iowarrior: don't trust report_size for buffer size
+
+commit 3ed780117dbe5acb64280d218f0347f238dafed0 upstream.
+
+If the iowarrior devices in this case statement support more than 8 bytes
+per report, it is possible to write past the end of a kernel heap allocation.
+This will probably never be possible, but change the allocation to be more
+defensive anyway.
+
+Signed-off-by: Kees Cook <kees.cook at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/usb/misc/iowarrior.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index bc88c79..8ed8d05 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
+ 	case USB_DEVICE_ID_CODEMERCS_IOWPV2:
+ 	case USB_DEVICE_ID_CODEMERCS_IOW40:
+ 		/* IOW24 and IOW40 use a synchronous call */
+-		buf = kmalloc(8, GFP_KERNEL);	/* 8 bytes are enough for both products */
++		buf = kmalloc(count, GFP_KERNEL);
+ 		if (!buf) {
+ 			retval = -ENOMEM;
+ 			goto exit;
+-- 
+1.7.4.1
+

Modified: dists/squeeze/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 28 04:05:25 2011	(r16948)
+++ dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 28 04:15:11 2011	(r16949)
@@ -38,3 +38,4 @@
 + bugfix/all/revert-USB-prevent-buggy-hubs-from-crashing-the-USB.patch
 + bugfix/all/af_unix-limit-recursion-level.patch
 + debian/af_unix-Avoid-ABI-change-from-introduction-of-recursion-limit.patch
++ bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch

More information about the Kernel-svn-changes mailing list