[kernel] r16824 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Jan 17 07:39:05 UTC 2011

Author: dannf
Date: Mon Jan 17 07:38:53 2011
New Revision: 16824

Log:
fix build issue/CVE name typo for CVE-2010-4529

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
      - copied unchanged from r16821, dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
Deleted:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2010-4258.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 07:12:59 2011	(r16823)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 07:38:53 2011	(r16824)
@@ -18,7 +18,7 @@
   * sctp: Fix a race between ICMP protocol unreachable and connect()
     (CVE-2010-4526)
   * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)	
-  * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4258)
+  * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4529)
 	
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch (from r16821, dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch	Mon Jan 17 07:38:53 2011	(r16824, copy of r16821, dists/sid/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch)
@@ -0,0 +1,50 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value.  While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures.  In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[dannf: Backport to 2.6.32]
+---
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket
+ 
+ 	switch (optname) {
+ 	case IRLMP_ENUMDEVICES:
++
++		/* Offset to first device entry */
++		offset = sizeof(struct irda_device_list) -
++			sizeof(struct irda_device_info);
++
++		if (len < offset)
++			return -EINVAL;
++
+ 		/* Ask lmp for the current discovery log */
+ 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ 						    self->nslots);
+@@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket
+ 		err = 0;
+ 
+ 		/* Write total list length back to client */
+-		if (copy_to_user(optval, &list,
+-				 sizeof(struct irda_device_list) -
+-				 sizeof(struct irda_device_info)))
++		if (copy_to_user(optval, &list, offset))
+ 			err = -EFAULT;
+ 
+-		/* Offset to first device entry */
+-		offset = sizeof(struct irda_device_list) -
+-			sizeof(struct irda_device_info);
+-
+ 		/* Copy the list itself - watch for overflow */
+ 		if(list.len > 2048)
+ 		{

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 07:12:59 2011	(r16823)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 07:38:53 2011	(r16824)
@@ -6,7 +6,7 @@
 + bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
 + bugfix/all/CVE-2010-4526.patch
 + bugfix/all/CVE-2010-4527.patch
-+ bugfix/all/CVE-2010-4258.patch
 + bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch
 + bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch
 + debian/exec-Get-rid-of-linux_binprm-vma_pages.patch
++ bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch

