[linux] 06/07: char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Jul 28 08:16:09 UTC 2017


This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 4a57f5b5f31ebc89c61bead4cf24f5de16a6680f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Jul 28 09:13:38 2017 +0200

    char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)
---
 debian/changelog                                   |  1 +
 ...fix-possible-integer-overflow-in-lp_setup.patch | 39 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 41 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index dc4aff5..e15d0cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
   * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
   * xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
   * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
+  * char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 27 Jul 2017 22:02:24 +0200
 
diff --git a/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch b/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
new file mode 100644
index 0000000..40d2f9d
--- /dev/null
+++ b/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
@@ -0,0 +1,39 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Tue, 16 May 2017 19:18:55 +0200
+Subject: char: lp: fix possible integer overflow in lp_setup()
+Origin: https://git.kernel.org/linus/3e21f4af170bebf47c187c1ff8bf155583c9f3b1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000363
+
+The lp_setup() code doesn't apply any bounds checking when passing
+"lp=none", and only in this case, resulting in an overflow of the
+parport_nr[] array. All versions in Git history are affected.
+
+Reported-By: Roee Hay <roee.hay at hcl.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: stable at vger.kernel.org
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/char/lp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/lp.c b/drivers/char/lp.c
+index 565e4cf04a02..8249762192d5 100644
+--- a/drivers/char/lp.c
++++ b/drivers/char/lp.c
+@@ -859,7 +859,11 @@ static int __init lp_setup (char *str)
+ 	} else if (!strcmp(str, "auto")) {
+ 		parport_nr[0] = LP_PARPORT_AUTO;
+ 	} else if (!strcmp(str, "none")) {
+-		parport_nr[parport_ptr++] = LP_PARPORT_NONE;
++		if (parport_ptr < LP_NO)
++			parport_nr[parport_ptr++] = LP_PARPORT_NONE;
++		else
++			printk(KERN_INFO "lp: too many ports, %s ignored.\n",
++			       str);
+ 	} else if (!strcmp(str, "reset")) {
+ 		reset = 1;
+ 	}
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index faddea5..fb8e99d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -721,6 +721,7 @@ bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
 bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
 bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
 bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
+bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list