[Secure-testing-team] Three more security problems in the 2.6 kernel

Sun Oct 9 10:18:54 UTC 2005

Hi Horms / security team,
I found three more security related reports/patches on linux-kernel.

Cheers,
        Moritz

From: David Howells <dhowells at redhat.com>

Plug request_key_auth memleak.  This can be triggered by unprivileged
users, so is local DoS.

Signed-off-by: Chris Wright <chrisw at osdl.org>
Signed-Off-By: David Howells <dhowells at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 security/keys/request_key_auth.c |    1 +
 1 file changed, 1 insertion(+)

--- linux-2.6.13.y.orig/security/keys/request_key_auth.c
+++ linux-2.6.13.y/security/keys/request_key_auth.c
@@ -96,6 +96,7 @@ static void request_key_auth_destroy(str
        kenter("{%d}", key->serial);

        key_put(rka->target_key);
+       kfree(rka);

 } /* end request_key_auth_destroy() */


From: Dave Jones <davej at redhat.com>

Please consider for next 2.6.13, it is a minor security issue allowing
users to turn on drm debugging when they shouldn't...

This fell through the cracks. Until Josh pointed me at
http://bugs.gentoo.org/show_bug.cgi?id=107893

Signed-off-by: Chris Wright <chrisw at osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/char/drm/drm_stub.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.13.y.orig/drivers/char/drm/drm_stub.c
+++ linux-2.6.13.y/drivers/char/drm/drm_stub.c
@@ -47,7 +47,7 @@ MODULE_PARM_DESC(cards_limit, "Maximum n
 MODULE_PARM_DESC(debug, "Enable debug output");

 module_param_named(cards_limit, drm_cards_limit, int, 0444);
-module_param_named(debug, drm_debug, int, 0666);
+module_param_named(debug, drm_debug, int, 0600);

 drm_head_t **drm_heads;
 struct drm_sysfs_class *drm_class;


From: Pavel Roskin <proski at gnu.org>

The orinoco driver can send uninitialized data exposing random pieces of
the system memory.  This happens because data is not padded with zeroes
when its length needs to be increased.

Reported by Meder Kydyraliev <meder at o0o.nu>

Signed-off-by: Pavel Roskin <proski at gnu.org>
Signed-off-by: Chris Wright <chrisw at osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/net/wireless/orinoco.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- linux-2.6.13.y.orig/drivers/net/wireless/orinoco.c
+++ linux-2.6.13.y/drivers/net/wireless/orinoco.c
@@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff *
                return 0;
        }

-       /* Length of the packet body */
-       /* FIXME: what if the skb is smaller than this? */
-       len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+       /* Check packet length, pad short packets, round up odd length */
+       len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+       if (skb->len < len) {
+               skb = skb_padto(skb, len);
+               if (skb == NULL)
+                       goto fail;
+       }
+       len -= ETH_HLEN;

        eh = (struct ethhdr *)skb->data;

@@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff *
                p = skb->data;
        }

-       /* Round up for odd length packets */
-       err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+       err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
                                txfid, data_off);
        if (err) {
                printk(KERN_ERR "%s: Error %d writing packet to BAP\n",


