[kernel] r16816 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Moritz Muehlenhoff
jmm at alioth.debian.org
Sun Jan 16 03:04:49 UTC 2011
Author: jmm
Date: Sun Jan 16 03:04:20 2011
New Revision: 16816
Log:
fix CVE-2010-4258
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Jan 16 02:52:18 2011 (r16815)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Jan 16 03:04:20 2011 (r16816)
@@ -14,6 +14,7 @@
* sctp: Fix a race between ICMP protocol unreachable and connect()
(CVE-2010-4526)
* sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
+ * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4258)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch Sun Jan 16 03:04:20 2011 (r16816)
@@ -0,0 +1,58 @@
+From fdac1e0697356ac212259f2147aa60c72e334861 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value. While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures. In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/irda/af_irda.c | 18 +++++++++++-------
+ 1 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 7f09798..5007541 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2281,6 +2281,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+
+ switch (optname) {
+ case IRLMP_ENUMDEVICES:
++
++ /* Offset to first device entry */
++ offset = sizeof(struct irda_device_list) -
++ sizeof(struct irda_device_info);
++
++ if (len < offset) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /* Ask lmp for the current discovery log */
+ discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ self->nslots);
+@@ -2291,15 +2301,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ }
+
+ /* Write total list length back to client */
+- if (copy_to_user(optval, &list,
+- sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info)))
++ if (copy_to_user(optval, &list, offset))
+ err = -EFAULT;
+
+- /* Offset to first device entry */
+- offset = sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info);
+-
+ /* Copy the list itself - watch for overflow */
+ if (list.len > 2048) {
+ err = -EINVAL;
+--
+1.7.3.5
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Sun Jan 16 02:52:18 2011 (r16815)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Sun Jan 16 03:04:20 2011 (r16816)
@@ -6,3 +6,4 @@
+ bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
+ bugfix/all/CVE-2010-4526.patch
+ bugfix/all/CVE-2010-4527.patch
++ bugfix/all/CVE-2010-4258.patch
More information about the Kernel-svn-changes
mailing list