[linux] 06/07: char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jul 28 08:16:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 4a57f5b5f31ebc89c61bead4cf24f5de16a6680f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Jul 28 09:13:38 2017 +0200
char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)
---
debian/changelog | 1 +
...fix-possible-integer-overflow-in-lp_setup.patch | 39 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 41 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index dc4aff5..e15d0cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
* [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
* xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
* mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
+ * char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363)
-- Salvatore Bonaccorso <carnil at debian.org> Thu, 27 Jul 2017 22:02:24 +0200
diff --git a/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch b/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
new file mode 100644
index 0000000..40d2f9d
--- /dev/null
+++ b/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
@@ -0,0 +1,39 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Tue, 16 May 2017 19:18:55 +0200
+Subject: char: lp: fix possible integer overflow in lp_setup()
+Origin: https://git.kernel.org/linus/3e21f4af170bebf47c187c1ff8bf155583c9f3b1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000363
+
+The lp_setup() code doesn't apply any bounds checking when passing
+"lp=none", and only in this case, resulting in an overflow of the
+parport_nr[] array. All versions in Git history are affected.
+
+Reported-By: Roee Hay <roee.hay at hcl.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: stable at vger.kernel.org
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/char/lp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/lp.c b/drivers/char/lp.c
+index 565e4cf04a02..8249762192d5 100644
+--- a/drivers/char/lp.c
++++ b/drivers/char/lp.c
+@@ -859,7 +859,11 @@ static int __init lp_setup (char *str)
+ } else if (!strcmp(str, "auto")) {
+ parport_nr[0] = LP_PARPORT_AUTO;
+ } else if (!strcmp(str, "none")) {
+- parport_nr[parport_ptr++] = LP_PARPORT_NONE;
++ if (parport_ptr < LP_NO)
++ parport_nr[parport_ptr++] = LP_PARPORT_NONE;
++ else
++ printk(KERN_INFO "lp: too many ports, %s ignored.\n",
++ str);
+ } else if (!strcmp(str, "reset")) {
+ reset = 1;
+ }
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index faddea5..fb8e99d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -721,6 +721,7 @@ bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
+bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list