[kernel] r17586 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Jun 3 04:08:49 UTC 2011 

Author: dannf
Date: Fri Jun  3 04:08:47 2011
New Revision: 17586

Log:
ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Jun  3 03:47:38 2011	(r17585)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Jun  3 04:08:47 2011	(r17586)
@@ -32,6 +32,7 @@
     for CVE-2010-3875
   * char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
   * sound/oss: remove offset from load_patch callbacks (CVE-2011-1476)
+  * ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch	Fri Jun  3 04:08:47 2011	(r17586)
@@ -0,0 +1,73 @@
+commit be20250c13f88375345ad99950190685eda51eb8
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Sat Mar 19 20:43:43 2011 +0000
+
+    ROSE: prevent heap corruption with bad facilities
+    
+    When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
+    a remote host to provide more digipeaters than expected, resulting in
+    heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
+    abort facilities parsing on failure.
+    
+    Additionally, when parsing the FAC_CCITT_DEST_NSAP and
+    FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
+    of less than 10, resulting in an underflow in a memcpy size, causing a
+    kernel panic due to massive heap corruption.  A length of greater than
+    20 results in a stack overflow of the callsign array.  Abort facilities
+    parsing on these invalid length values.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable at kernel.org
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
+index 1734abb..174d51c 100644
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -290,10 +290,15 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ 				facilities->source_ndigis = 0;
+ 				facilities->dest_ndigis   = 0;
+ 				for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
+-					if (pt[6] & AX25_HBIT)
++					if (pt[6] & AX25_HBIT) {
++						if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
++							return -1;
+ 						memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
+-					else
++					} else {
++						if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
++							return -1;
+ 						memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
++					}
+ 				}
+ 			}
+ 			p   += l + 2;
+@@ -333,6 +338,11 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ 
+ 		case 0xC0:
+ 			l = p[1];
++
++			/* Prevent overflows*/
++			if (l < 10 || l > 20)
++				return -1;
++
+ 			if (*p == FAC_CCITT_DEST_NSAP) {
+ 				memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
+ 				memcpy(callsign, p + 12,   l - 10);
+@@ -373,12 +383,16 @@ int rose_parse_facilities(unsigned char *p,
+ 			switch (*p) {
+ 			case FAC_NATIONAL:		/* National */
+ 				len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++				if (len < 0)
++					return 0;
+ 				facilities_len -= len + 1;
+ 				p += len + 1;
+ 				break;
+ 
+ 			case FAC_CCITT:		/* CCITT */
+ 				len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++				if (len < 0)
++					return 0;
+ 				facilities_len -= len + 1;
+ 				p += len + 1;
+ 				break;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Fri Jun  3 03:47:38 2011	(r17585)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Fri Jun  3 04:08:47 2011	(r17586)
@@ -29,3 +29,4 @@
 + bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
 + bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
 + bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch
++ bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch

More information about the Kernel-svn-changes mailing list