[kernel] r17610 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/arm patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jun 6 01:26:56 UTC 2011
Author: dannf
Date: Mon Jun 6 01:26:55 2011
New Revision: 17610
Log:
[arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
- copied unchanged from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 01:26:22 2011 (r17609)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 01:26:55 2011 (r17610)
@@ -38,6 +38,7 @@
* agp: fix arbitrary kernel memory writes (CVE-2011-1745)
* agp: fix OOM and buffer overflow (CVE-2011-1746)
* can: Add missing socket check in can/raw release (CVE-2011-1748)
+ * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch (from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch Mon Jun 6 01:26:55 2011 (r17610, copy of r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
@@ -0,0 +1,29 @@
+commit 0f22072ab50cac7983f9660d33974b45184da4f9
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Apr 29 15:48:07 2011 +0100
+
+ ARM: 6891/1: prevent heap corruption in OABI semtimedop
+
+ When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+ bound the nsops argument. A sufficiently large value will cause an
+ integer overflow in allocation size, followed by copying too much data
+ into the allocated buffer. Fix this by restricting nsops to SEMOPM.
+ Untested.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
+index 4ad8da1..af0aaeb 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+ long err;
+ int i;
+
+- if (nsops < 1)
++ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 01:26:22 2011 (r17609)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 01:26:55 2011 (r17610)
@@ -36,4 +36,4 @@
+ bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
+ bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
+ bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
-
++ bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
More information about the Kernel-svn-changes
mailing list