[kernel] r16833 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jan 17 20:14:36 UTC 2011 

Author: dannf
Date: Mon Jan 17 20:14:20 2011
New Revision: 16833

Log:
CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:11:37 2011	(r16832)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:14:20 2011	(r16833)
@@ -21,6 +21,7 @@
   * install_special_mapping skips security_file_mmap check (CVE-2010-4346)
   * sctp: a race between ICMP protocol unreachable and connect() (CVE-2010-4526)
   * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
+  * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch	Mon Jan 17 20:14:20 2011	(r16833)
@@ -0,0 +1,39 @@
+commit cb67a94a5ba37e5f01e254d29bc6ba5dcea70607
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Sun Dec 26 06:54:53 2010 +0000
+
+    CAN: Use inode instead of kernel address for /proc file
+    
+    Since the socket address is just being used as a unique identifier, its
+    inode number is an alternative that does not leak potentially sensitive
+    information.
+    
+    CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 061df5e..6e2a64c 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ 	struct list_head tx_ops;
+ 	unsigned long dropped_usr_msgs;
+ 	struct proc_dir_entry *bcm_proc_read;
+-	char procname [20]; /* pointer printed in ASCII with \0 */
++	char procname [32]; /* inode number in decimal with \0 */
+ };
+ 
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+@@ -1478,7 +1478,7 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
+ 
+ 	if (proc_dir) {
+ 		/* unique socket address as filename */
+-		sprintf(bo->procname, "%p", sock);
++		sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ 		bo->bcm_proc_read = create_proc_read_entry(bo->procname, 0644,
+ 							   proc_dir,
+ 							   bcm_read_proc, sk);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:11:37 2011	(r16832)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:14:20 2011	(r16833)
@@ -18,3 +18,4 @@
 + bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
 + bugfix/all/sctp-fix-race-between-ICMP-protocol-unreachable-and-connect.patch
 + bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
++ bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch

More information about the Kernel-svn-changes mailing list