[kernel] r16815 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Moritz Muehlenhoff
jmm at alioth.debian.org
Sun Jan 16 02:52:21 UTC 2011
Author: jmm
Date: Sun Jan 16 02:52:18 2011
New Revision: 16815
Log:
fix CVE-2010-4527
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Jan 16 02:48:55 2011 (r16814)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Jan 16 02:52:18 2011 (r16815)
@@ -13,6 +13,7 @@
* blkback/blktap/netback: Fix CVE-2010-3699
* sctp: Fix a race between ICMP protocol unreachable and connect()
(CVE-2010-4526)
+ * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch Sun Jan 16 02:52:18 2011 (r16815)
@@ -0,0 +1,47 @@
+From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: [PATCH] sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow. Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels(). In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/oss/soundcard.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index 46c0d03..fcb14a09 100644
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ int i, n;
+
+ for (i = 0; i < num_mixer_volumes; i++) {
+- if (strcmp(name, mixer_vols[i].name) == 0) {
++ if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ if (present)
+ mixer_vols[i].num = i;
+ return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ }
+ n = num_mixer_volumes++;
+
+- strcpy(mixer_vols[n].name, name);
++ strncpy(mixer_vols[n].name, name, 32);
+
+ if (present)
+ mixer_vols[n].num = n;
+--
+1.7.3.5
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Sun Jan 16 02:48:55 2011 (r16814)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Sun Jan 16 02:52:18 2011 (r16815)
@@ -5,3 +5,4 @@
+ bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
+ bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
+ bugfix/all/CVE-2010-4526.patch
++ bugfix/all/CVE-2010-4527.patch
More information about the Kernel-svn-changes
mailing list