[kernel] r16852 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jan 25 05:46:23 UTC 2011 

Author: dannf
Date: Tue Jan 25 05:46:20 2011
New Revision: 16852

Log:
usb: iowarrior: don't trust report_size for buffer size (CVE-2010-4656)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Tue Jan 25 05:40:44 2011	(r16851)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Jan 25 05:46:20 2011	(r16852)
@@ -24,6 +24,7 @@
   * block: check for proper length of iov entries earlier in
     blk_rq_map_user_iov() (CVE-2010-4668)
   * av7110: check for negative array offset (CVE-2011-0521)
+  * usb: iowarrior: don't trust report_size for buffer size (CVE-2010-4656)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch	Tue Jan 25 05:46:20 2011	(r16852)
@@ -0,0 +1,27 @@
+commit 3ed780117dbe5acb64280d218f0347f238dafed0
+Author: Kees Cook <kees.cook at canonical.com>
+Date:   Mon Oct 11 11:28:16 2010 -0700
+
+    usb: iowarrior: don't trust report_size for buffer size
+    
+    If the iowarrior devices in this case statement support more than 8 bytes
+    per report, it is possible to write past the end of a kernel heap allocation.
+    This will probably never be possible, but change the allocation to be more
+    defensive anyway.
+    
+    Signed-off-by: Kees Cook <kees.cook at canonical.com>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index bc88c79..8ed8d05 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
+ 	case USB_DEVICE_ID_CODEMERCS_IOWPV2:
+ 	case USB_DEVICE_ID_CODEMERCS_IOW40:
+ 		/* IOW24 and IOW40 use a synchronous call */
+-		buf = kmalloc(8, GFP_KERNEL);	/* 8 bytes are enough for both products */
++		buf = kmalloc(count, GFP_KERNEL);
+ 		if (!buf) {
+ 			retval = -ENOMEM;
+ 			goto exit;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Tue Jan 25 05:40:44 2011	(r16851)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Tue Jan 25 05:46:20 2011	(r16852)
@@ -20,3 +20,4 @@
 + bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
 + bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
 + bugfix/all/av7110-check-for-negative-array-offset.patch
++ bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch

More information about the Kernel-svn-changes mailing list