[kernel] r17453 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/arm patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 18 06:15:22 UTC 2011 

Author: dannf
Date: Wed May 18 06:15:12 2011
New Revision: 17453

Log:
[arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May 18 04:54:31 2011	(r17452)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May 18 06:15:12 2011	(r17453)
@@ -7,6 +7,7 @@
     - cifs: check for NULL session password
   * gre: fix netns vs proto registration ordering (CVE-2011-1767)
   * dccp: handle invalid feature options length (CVE-2011-1770)
+  * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
 
  -- dann frazier <dannf at debian.org>  Tue, 17 May 2011 00:41:07 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch	Wed May 18 06:15:12 2011	(r17453)
@@ -0,0 +1,29 @@
+commit 0f22072ab50cac7983f9660d33974b45184da4f9
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Apr 29 15:48:07 2011 +0100
+
+    ARM: 6891/1: prevent heap corruption in OABI semtimedop
+    
+    When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+    bound the nsops argument.  A sufficiently large value will cause an
+    integer overflow in allocation size, followed by copying too much data
+    into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
+    Untested.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
+index 4ad8da1..af0aaeb 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+ 	long err;
+ 	int i;
+ 
+-	if (nsops < 1)
++	if (nsops < 1 || nsops > SEMOPM)
+ 		return -EINVAL;
+ 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ 	if (!sops)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Wed May 18 04:54:31 2011	(r17452)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Wed May 18 06:15:12 2011	(r17453)
@@ -4,3 +4,4 @@
 + bugfix/all/cifs-check-for-NULL-session-password.patch
 + bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
 + bugfix/all/dccp-handle-invalid-feature-options-length.patch
++ bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch

More information about the Kernel-svn-changes mailing list