[kernel] r16833 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jan 17 20:14:36 UTC 2011
Author: dannf
Date: Mon Jan 17 20:14:20 2011
New Revision: 16833
Log:
CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:11:37 2011 (r16832)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:14:20 2011 (r16833)
@@ -21,6 +21,7 @@
* install_special_mapping skips security_file_mmap check (CVE-2010-4346)
* sctp: a race between ICMP protocol unreachable and connect() (CVE-2010-4526)
* sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
+ * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
[ Moritz Muehlenhoff ]
* blkback/blktap/netback: Fix CVE-2010-3699
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch Mon Jan 17 20:14:20 2011 (r16833)
@@ -0,0 +1,39 @@
+commit cb67a94a5ba37e5f01e254d29bc6ba5dcea70607
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sun Dec 26 06:54:53 2010 +0000
+
+ CAN: Use inode instead of kernel address for /proc file
+
+ Since the socket address is just being used as a unique identifier, its
+ inode number is an alternative that does not leak potentially sensitive
+ information.
+
+ CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 061df5e..6e2a64c 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [20]; /* pointer printed in ASCII with \0 */
++ char procname [32]; /* inode number in decimal with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+@@ -1478,7 +1478,7 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
+
+ if (proc_dir) {
+ /* unique socket address as filename */
+- sprintf(bo->procname, "%p", sock);
++ sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ bo->bcm_proc_read = create_proc_read_entry(bo->procname, 0644,
+ proc_dir,
+ bcm_read_proc, sk);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:11:37 2011 (r16832)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:14:20 2011 (r16833)
@@ -18,3 +18,4 @@
+ bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
+ bugfix/all/sctp-fix-race-between-ICMP-protocol-unreachable-and-connect.patch
+ bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
++ bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
More information about the Kernel-svn-changes
mailing list