[kernel] r16852 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 25 05:46:23 UTC 2011
Author: dannf
Date: Tue Jan 25 05:46:20 2011
New Revision: 16852
Log:
usb: iowarrior: don't trust report_size for buffer size (CVE-2010-4656)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Jan 25 05:40:44 2011 (r16851)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Jan 25 05:46:20 2011 (r16852)
@@ -24,6 +24,7 @@
* block: check for proper length of iov entries earlier in
blk_rq_map_user_iov() (CVE-2010-4668)
* av7110: check for negative array offset (CVE-2011-0521)
+ * usb: iowarrior: don't trust report_size for buffer size (CVE-2010-4656)
[ Moritz Muehlenhoff ]
* blkback/blktap/netback: Fix CVE-2010-3699
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch Tue Jan 25 05:46:20 2011 (r16852)
@@ -0,0 +1,27 @@
+commit 3ed780117dbe5acb64280d218f0347f238dafed0
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Mon Oct 11 11:28:16 2010 -0700
+
+ usb: iowarrior: don't trust report_size for buffer size
+
+ If the iowarrior devices in this case statement support more than 8 bytes
+ per report, it is possible to write past the end of a kernel heap allocation.
+ This will probably never be possible, but change the allocation to be more
+ defensive anyway.
+
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index bc88c79..8ed8d05 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
+ case USB_DEVICE_ID_CODEMERCS_IOWPV2:
+ case USB_DEVICE_ID_CODEMERCS_IOW40:
+ /* IOW24 and IOW40 use a synchronous call */
+- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
++ buf = kmalloc(count, GFP_KERNEL);
+ if (!buf) {
+ retval = -ENOMEM;
+ goto exit;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Tue Jan 25 05:40:44 2011 (r16851)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Tue Jan 25 05:46:20 2011 (r16852)
@@ -20,3 +20,4 @@
+ bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
+ bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
+ bugfix/all/av7110-check-for-negative-array-offset.patch
++ bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
More information about the Kernel-svn-changes
mailing list