[kernel] r16816 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Moritz Muehlenhoff]

Author: jmm
Date: Sun Jan 16 03:04:20 2011
New Revision: 16816

Log:
fix CVE-2010-4258

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Jan 16 02:52:18 2011	(r16815)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Jan 16 03:04:20 2011	(r16816)
@@ -14,6 +14,7 @@
   * sctp: Fix a race between ICMP protocol unreachable and connect()
     (CVE-2010-4526)
   * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)	
+  * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4258)
 	
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch	Sun Jan 16 03:04:20 2011	(r16816)
@@ -0,0 +1,58 @@
+From fdac1e0697356ac212259f2147aa60c72e334861 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value.  While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures.  In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/irda/af_irda.c |   18 +++++++++++-------
+ 1 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 7f09798..5007541 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2281,6 +2281,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ 
+ 	switch (optname) {
+ 	case IRLMP_ENUMDEVICES:
++
++		/* Offset to first device entry */
++		offset = sizeof(struct irda_device_list) -
++			sizeof(struct irda_device_info);
++
++		if (len < offset) {
++			err = -EINVAL;
++			goto out;
++		}
++
+ 		/* Ask lmp for the current discovery log */
+ 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ 						    self->nslots);
+@@ -2291,15 +2301,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
+ 		}
+ 
+ 		/* Write total list length back to client */
+-		if (copy_to_user(optval, &list,
+-				 sizeof(struct irda_device_list) -
+-				 sizeof(struct irda_device_info)))
++		if (copy_to_user(optval, &list, offset))
+ 			err = -EFAULT;
+ 
+-		/* Offset to first device entry */
+-		offset = sizeof(struct irda_device_list) -
+-			sizeof(struct irda_device_info);
+-
+ 		/* Copy the list itself - watch for overflow */
+ 		if (list.len > 2048) {
+ 			err = -EINVAL;
+-- 
+1.7.3.5
+

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Sun Jan 16 02:52:18 2011	(r16815)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Sun Jan 16 03:04:20 2011	(r16816)
@@ -6,3 +6,4 @@
 + bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
 + bugfix/all/CVE-2010-4526.patch
 + bugfix/all/CVE-2010-4527.patch
++ bugfix/all/CVE-2010-4258.patch