[linux] 03/04: Add various infoleak fixes

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 16 10:52:47 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit c6ff78f5bebd835cf506c4caf6cd061a7083c414
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jun 16 01:18:44 2016 +0100

    Add various infoleak fixes
---
 debian/changelog                                   |  6 ++++
 ...fix-leak-in-events-via-snd_timer_user_cca.patch | 28 +++++++++++++++++
 ...fix-leak-in-events-via-snd_timer_user_tin.patch | 28 +++++++++++++++++
 ...imer-fix-leak-in-sndrv_timer_ioctl_params.patch | 28 +++++++++++++++++
 .../rds-fix-an-infoleak-in-rds_inc_info_copy.patch | 26 ++++++++++++++++
 ...x-an-infoleak-in-tipc_nl_compat_link_dump.patch | 26 ++++++++++++++++
 ...usb-usbfs-fix-potential-infoleak-in-devio.patch | 36 ++++++++++++++++++++++
 debian/patches/series                              |  6 ++++
 8 files changed, 184 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 17cd9ae..efcf987 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -207,6 +207,12 @@ linux (3.2.81-1) UNRELEASED; urgency=medium
     - aufs: implement new f_op->setfl()
     - fs: Fix ABI change for aufs F_SETFL fix
   * stable-update: Rewrite stable-update.sh in Python
+  * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
+  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
+  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
+    snd_timer_user_tinterrupt (CVE-2016-4578)
+  * tipc: fix an infoleak in tipc_node_get_links (CVE-2016-5243)
+  * rds: fix an infoleak in rds_inc_info_copy (CVE-2016-5244)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 01 Apr 2016 02:11:16 +0100
 
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 0000000..14172f4
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1213,6 +1213,7 @@ static void snd_timer_user_ccallback(str
+ 		tu->tstamp = *tstamp;
+ 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ 		return;
++	memset(&r1, 0, sizeof(r1));
+ 	r1.event = event;
+ 	r1.tstamp = *tstamp;
+ 	r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 0000000..00dee65
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1248,6 +1248,7 @@ static void snd_timer_user_tinterrupt(st
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
new file mode 100644
index 0000000..1bd1a62
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1712,6 +1712,7 @@ static int snd_timer_user_params(struct
+ 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ 		if (tu->tread) {
+ 			struct snd_timer_tread tread;
++			memset(&tread, 0, sizeof(tread));
+ 			tread.event = SNDRV_TIMER_EVENT_EARLY;
+ 			tread.tstamp.tv_sec = 0;
+ 			tread.tstamp.tv_nsec = 0;
diff --git a/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch b/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
new file mode 100644
index 0000000..cdee992
--- /dev/null
+++ b/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
@@ -0,0 +1,26 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Thu, 2 Jun 2016 04:11:20 -0400
+Subject: rds: fix an infoleak in rds_inc_info_copy
+Origin: https://git.kernel.org/linus/4116def2337991b39919f3b448326e21c40e0dbb
+
+The last field "flags" of object "minfo" is not initialized.
+Copying this object out may leak kernel stack data.
+Assign 0 to it to avoid leak.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Acked-by: Santosh Shilimkar <santosh.shilimkar at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/recv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -544,5 +544,7 @@ void rds_inc_info_copy(struct rds_incomi
+ 		minfo.fport = inc->i_hdr.h_dport;
+ 	}
+ 
++	minfo.flags = 0;
++
+ 	rds_info_copy(iter, &minfo, sizeof(minfo));
+ }
diff --git a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
new file mode 100644
index 0000000..ad03a49
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
@@ -0,0 +1,26 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Thu, 2 Jun 2016 04:04:56 -0400
+Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
+Origin: https://git.kernel.org/linus/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2
+
+link_info.str is a char array of size 60. Memory after the NULL
+byte is not initialized. Sending the whole object out can cause
+a leak.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: the unpadded strcpy() is in tipc_node_get_links()
+ and no nlattr is involved, so use strncpy()]
+---
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -485,7 +485,8 @@ struct sk_buff *tipc_node_get_links(cons
+ 				continue;
+ 			link_info.dest = htonl(n_ptr->addr);
+ 			link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
+-			strcpy(link_info.str, n_ptr->links[i]->name);
++			strncpy(link_info.str, n_ptr->links[i]->name,
++				sizeof(link_info.str));
+ 			tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
+ 					    &link_info, sizeof(link_info));
+ 		}
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 0000000..0aea2b8
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,36 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1005,10 +1005,11 @@ static int proc_getdriver(struct dev_sta
+ 
+ static int proc_connectinfo(struct dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
diff --git a/debian/patches/series b/debian/patches/series
index 1c17c73..1f4171c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1106,6 +1106,12 @@ features/all/hpsa/0011-hpsa-add-in-P840ar-controller-model-name.patch
 # Security fixes
 bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
 bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
+bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
+bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
+bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
+bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list