[kernel] r16815 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Moritz Muehlenhoff jmm at alioth.debian.org
Sun Jan 16 02:52:21 UTC 2011 

Author: jmm
Date: Sun Jan 16 02:52:18 2011
New Revision: 16815

Log:
fix CVE-2010-4527

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Jan 16 02:48:55 2011	(r16814)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Jan 16 02:52:18 2011	(r16815)
@@ -13,6 +13,7 @@
   * blkback/blktap/netback: Fix CVE-2010-3699 	
   * sctp: Fix a race between ICMP protocol unreachable and connect()
     (CVE-2010-4526)
+  * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)	
 	
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch	Sun Jan 16 02:52:18 2011	(r16815)
@@ -0,0 +1,47 @@
+From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: [PATCH] sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow.  Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels().  In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/oss/soundcard.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index 46c0d03..fcb14a09 100644
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ 	int             i, n;
+ 
+ 	for (i = 0; i < num_mixer_volumes; i++) {
+-		if (strcmp(name, mixer_vols[i].name) == 0) {
++		if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ 			if (present)
+ 				mixer_vols[i].num = i;
+ 			return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ 	}
+ 	n = num_mixer_volumes++;
+ 
+-	strcpy(mixer_vols[n].name, name);
++	strncpy(mixer_vols[n].name, name, 32);
+ 
+ 	if (present)
+ 		mixer_vols[n].num = n;
+-- 
+1.7.3.5
+

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Sun Jan 16 02:48:55 2011	(r16814)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Sun Jan 16 02:52:18 2011	(r16815)
@@ -5,3 +5,4 @@
 + bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
 + bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
 + bugfix/all/CVE-2010-4526.patch
++ bugfix/all/CVE-2010-4527.patch

More information about the Kernel-svn-changes mailing list