[kernel] r16835 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jan 17 20:25:12 UTC 2011
Author: dannf
Date: Mon Jan 17 20:25:09 2011
New Revision: 16835
Log:
block: check for proper length of iov entries earlier in
blk_rq_map_user_iov() (CVE-2010-4668)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:22:36 2011 (r16834)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:25:09 2011 (r16835)
@@ -23,6 +23,8 @@
* sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
* CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
* IB/uverbs: Handle large number of entries in poll CQ (CVE-2010-4649)
+ * block: check for proper length of iov entries earlier in
+ blk_rq_map_user_iov() (CVE-2010-4668)
[ Moritz Muehlenhoff ]
* blkback/blktap/netback: Fix CVE-2010-3699
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch Mon Jan 17 20:25:09 2011 (r16835)
@@ -0,0 +1,35 @@
+commit d124b50925d1e4f9eb8465f017e30ba84815aceb
+Author: Xiaotian Feng <dfeng at redhat.com>
+Date: Mon Nov 29 10:03:55 2010 +0100
+
+ block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+
+ commit 9284bcf checks for proper length of iov entries in
+ blk_rq_map_user_iov(). But if the map is unaligned, kernel
+ will break out the loop without checking for the proper length.
+ So we need to check the proper length before the unalign check.
+
+ Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 71e102e..92e4cba 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -187,12 +187,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ for (i = 0; i < iov_count; i++) {
+ unsigned long uaddr = (unsigned long)iov[i].iov_base;
+
++ if (!iov[i].iov_len)
++ return -EINVAL;
++
+ if (uaddr & queue_dma_alignment(q)) {
+ unaligned = 1;
+ break;
+ }
+- if (!iov[i].iov_len)
+- return -EINVAL;
+ }
+
+ if (unaligned || (q->dma_pad_mask & len))
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:22:36 2011 (r16834)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:25:09 2011 (r16835)
@@ -20,3 +20,4 @@
+ bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
+ bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
+ bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
More information about the Kernel-svn-changes
mailing list