[kernel] r16835 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Jan 17 20:25:12 UTC 2011

Author: dannf
Date: Mon Jan 17 20:25:09 2011
New Revision: 16835

Log:
block: check for proper length of iov entries earlier in
blk_rq_map_user_iov() (CVE-2010-4668)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:22:36 2011	(r16834)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:25:09 2011	(r16835)
@@ -23,6 +23,8 @@
   * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
   * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
   * IB/uverbs: Handle large number of entries in poll CQ (CVE-2010-4649)
+  * block: check for proper length of iov entries earlier in
+    blk_rq_map_user_iov() (CVE-2010-4668)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch	Mon Jan 17 20:25:09 2011	(r16835)
@@ -0,0 +1,35 @@
+commit d124b50925d1e4f9eb8465f017e30ba84815aceb
+Author: Xiaotian Feng <dfeng at redhat.com>
+Date:   Mon Nov 29 10:03:55 2010 +0100
+
+    block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+    
+    commit 9284bcf checks for proper length of iov entries in
+    blk_rq_map_user_iov(). But if the map is unaligned, kernel
+    will break out the loop without checking for the proper length.
+    So we need to check the proper length before the unalign check.
+    
+    Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 71e102e..92e4cba 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -187,12 +187,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 	for (i = 0; i < iov_count; i++) {
+ 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
+ 
++		if (!iov[i].iov_len)
++			return -EINVAL;
++
+ 		if (uaddr & queue_dma_alignment(q)) {
+ 			unaligned = 1;
+ 			break;
+ 		}
+-		if (!iov[i].iov_len)
+-			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len))

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:22:36 2011	(r16834)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:25:09 2011	(r16835)
@@ -20,3 +20,4 @@
 + bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
 + bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
 + bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch

