[kernel] r18038 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Sep 1 03:57:54 UTC 2011 

Author: dannf
Date: Thu Sep  1 03:57:52 2011
New Revision: 18038

Log:
Fix overflow in auerswald driver (CVE-2009-4067)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny4

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Tue Aug 30 02:49:46 2011	(r18037)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Sep  1 03:57:52 2011	(r18038)
@@ -8,6 +8,7 @@
   * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
   * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
   * net_sched: Fix qdisc_notify() (CVE-2011-2525)
+  * Fix overflow in auerswald driver (CVE-2009-4067)
 
   [ Moritz Muehlenhoff ]
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch	Thu Sep  1 03:57:52 2011	(r18038)
@@ -0,0 +1,89 @@
+On Wed, Aug 17, 2011 at 06:39:11PM +0200, Moritz Mühlenhoff wrote:
+> On Wed, Aug 17, 2011 at 10:05:30AM -0600, dann frazier wrote:
+> > On Wed, Aug 17, 2011 at 10:33:21AM +0200, Moritz Muehlenhoff wrote:
+> > > Hi Dann,
+> > > I've whipped up a patch for CVE-2009-4067. (The driver was removed
+> > > upstream, so there's no upstream fix). Could you have a second look,
+> > > please?
+> > 
+> > Sure - where can I find it?
+> 
+> I forgot the attachment :-)
+> 
+> Cheers,
+>         Moritz 
+
+> diff -aur linux-2.6-2.6.26.orig/drivers/usb/misc/auerswald.c linux-2.6-2.6.26/drivers/usb/misc/auerswald.c
+> --- linux-2.6-2.6.26.orig/drivers/usb/misc/auerswald.c	2008-07-13 23:51:29.000000000 +0200
+> +++ linux-2.6-2.6.26/drivers/usb/misc/auerswald.c	2011-08-17 10:30:13.958449758 +0200
+> @@ -1946,7 +1946,7 @@
+>  	/* Try to get a suitable textual description of the device */
+>  	/* Device name:*/
+>  	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
+> -	if (ret >= 0) {
+> +	if (ret >= 0 && ret < AUSI_DLEN) {
+>  		u += ret;
+>  		/* Append Serial Number */
+>  		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
+> Nur in linux-2.6-2.6.26/drivers/usb/misc/: auerswald.c~.
+
+I think that is sufficient to resolve the specific vulnerability that
+the MWR PDF describes. However, if the user can control AUSI_DEVICE,
+shouldn't we also assume they can control AUSI_SERIALNR, and just
+overflow things a little further down?
+
+Also, there's a couple places where they seem to blindly memcpy a
+hardcoded number of bytes to the end of the string without checking
+to see if this crosses the AUSI_DLEN boundary.
+
+Perhaps I'm overly paranoid, but what do you think of this?
+
+--- linux-source-2.6.26/drivers/usb/misc/auerswald.c.orig	2011-08-21 14:04:46.634626234 -0600
++++ linux-source-2.6.26/drivers/usb/misc/auerswald.c	2011-08-21 14:04:47.826643896 -0600
+@@ -1946,23 +1946,28 @@ static int auerswald_probe (struct usb_i
+ 	/* Try to get a suitable textual description of the device */
+ 	/* Device name:*/
+ 	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
+-	if (ret >= 0) {
+-		u += ret;
+-		/* Append Serial Number */
+-		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
+-		u += 6;
+-		ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
+-		if (ret >= 0) {
+-			u += ret;
+-			/* Append subscriber number */
+-			memcpy(&cp->dev_desc[u], ", ", 2);
+-			u += 2;
+-			ret = usb_string( cp->usbdev, AUSI_MSN, &cp->dev_desc[u], AUSI_DLEN-u-1);
+-			if (ret >= 0) {
+-				u += ret;
+-			}
+-		}
+-	}
++	if (ret < 0 || ret >= AUSI_DLEN)
++		goto desc_done;
++	u += ret;
++	if (u >= AUSI_DLEN - 6)
++		goto desc_done;
++	/* Append Serial Number */
++	memcpy(&cp->dev_desc[u], ",Ser# ", 6);
++	u += 6;
++	ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
++	if (ret < 0 || u + ret >= AUSI_DLEN)
++		goto desc_done;
++	u += ret;
++	if (u >= AUSI_DLEN - 2)
++		goto desc_done;
++	/* Append subscriber number */
++	memcpy(&cp->dev_desc[u], ", ", 2);
++	u += 2;
++	ret = usb_string( cp->usbdev, AUSI_MSN, &cp->dev_desc[u], AUSI_DLEN-u-1);
++	if (ret < 0 || u + ret >= AUSI_DLEN)
++		goto desc_done;
++	u += ret;
++desc_done:
+ 	cp->dev_desc[u] = '\0';
+ 	info("device is a %s", cp->dev_desc);
+ 
+

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Tue Aug 30 02:49:46 2011	(r18037)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Thu Sep  1 03:57:52 2011	(r18038)
@@ -12,3 +12,4 @@
 + bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
 + bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
 + bugfix/all/net_sched-Fix-qdisc_notify.patch
++ bugfix/all/usb-misc-auerswald-overflow-fix.patch

More information about the Kernel-svn-changes mailing list