[kernel] r17610 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/arm patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 6 01:26:56 UTC 2011


Author: dannf
Date: Mon Jun  6 01:26:55 2011
New Revision: 17610

Log:
[arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
      - copied unchanged from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:26:22 2011	(r17609)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:26:55 2011	(r17610)
@@ -38,6 +38,7 @@
   * agp: fix arbitrary kernel memory writes (CVE-2011-1745)
   * agp: fix OOM and buffer overflow (CVE-2011-1746)
   * can: Add missing socket check in can/raw release (CVE-2011-1748)
+  * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch (from r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch	Mon Jun  6 01:26:55 2011	(r17610, copy of r17590, dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
@@ -0,0 +1,29 @@
+commit 0f22072ab50cac7983f9660d33974b45184da4f9
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Apr 29 15:48:07 2011 +0100
+
+    ARM: 6891/1: prevent heap corruption in OABI semtimedop
+    
+    When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+    bound the nsops argument.  A sufficiently large value will cause an
+    integer overflow in allocation size, followed by copying too much data
+    into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
+    Untested.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
+index 4ad8da1..af0aaeb 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+ 	long err;
+ 	int i;
+ 
+-	if (nsops < 1)
++	if (nsops < 1 || nsops > SEMOPM)
+ 		return -EINVAL;
+ 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ 	if (!sops)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:26:22 2011	(r17609)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:26:55 2011	(r17610)
@@ -36,4 +36,4 @@
 + bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
 + bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
 + bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
-
++ bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch



More information about the Kernel-svn-changes mailing list