FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 03-22-2011, 01:09 AM
Tim Gardner
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 02:17 PM, Leann Ogasawara wrote:

The following changes since commit 41ff5f1360cf8dd8862cabd859a0ee2199ed933b:
Leann Ogasawara (1):
econet: Fix crash in aun_incoming(). CVE-2010-4342

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2010-4529

Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

From cd765a405e0d70b3ddbd5befcc53fd72e0f2bf0a Mon Sep 17 00:00:00 2001
From: Dan Rosenberg<drosenberg@vsecurity.com>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

CVE-2010-4529

BugLink: http://bugs.launchpad.net/bugs/737823

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 36789ee..30c2b77 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2158,6 +2158,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,

switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len< offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2167,15 +2175,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
err = 0;

/* Write total list length back to client */
- if (copy_to_user(optval,&list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval,&list, offset))
err = -EFAULT;

- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len> 2048)
{


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 01:10 AM
Tim Gardner
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 02:17 PM, Leann Ogasawara wrote:

The following changes since commit 71fe9f31268272cb34fbbfbf5d2dafabf9777eb3:
Dan Rosenberg (1):
sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4529

Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

From c623c0a56b655b717e47e7ca7e0b2c045ac31142 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg<drosenberg@vsecurity.com>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

CVE-2010-4529

BugLink: http://bugs.launchpad.net/bugs/737823

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 2e8fcd0..eb84170 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2163,6 +2163,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,

switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len< offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2172,15 +2180,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
err = 0;

/* Write total list length back to client */
- if (copy_to_user(optval,&list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval,&list, offset))
err = -EFAULT;

- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len> 2048)
{


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 01:10 AM
Tim Gardner
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 02:17 PM, Leann Ogasawara wrote:

The following changes since commit d57e49668c98881fc4daab39ea71dc24f838ea85:
Leann Ogasawara (1):
sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4529

Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

From bbe20d84f2bc23756faf61ad1ca4e750b41d0e30 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg<drosenberg@vsecurity.com>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

CVE-2010-4529

BugLink: http://bugs.launchpad.net/bugs/737823

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index ad88268..a93afad 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,

switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len< offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
err = 0;

/* Write total list length back to client */
- if (copy_to_user(optval,&list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval,&list, offset))
err = -EFAULT;

- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len> 2048)
{


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 01:11 AM
Tim Gardner
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 02:17 PM, Leann Ogasawara wrote:

The following changes since commit d524d2d15c73e43c3bbb0a2e63d8c8912aa0cb8f:
Leann Ogasawara (1):
igb: only use vlan_gro_receive if vlans are registered, CVE-2010-4263

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4529

Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

From 569f2b303a56863f8fb98e57b64a7610d8c768b2 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg<drosenberg@vsecurity.com>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

CVE-2010-4529

BugLink: http://bugs.launchpad.net/bugs/737823

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index b6cef98..476b24e 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,

switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len< offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
err = 0;

/* Write total list length back to client */
- if (copy_to_user(optval,&list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval,&list, offset))
err = -EFAULT;

- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len> 2048)
{


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 01:11 AM
Tim Gardner
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 02:17 PM, Leann Ogasawara wrote:

The following changes since commit 98e5bbf03976d01a116c000ec141ec7b5325f759:
Brad Figg (1):
UBUNTU: Ubuntu-2.6.35-28.50

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2010-4529

Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

From c67f25c8d3cca155f07f9969112468cee07cdbf9 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg<drosenberg@vsecurity.com>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

CVE-2010-4529

BugLink: http://bugs.launchpad.net/bugs/737823

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: David S. Miller<davem@davemloft.net>
(backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
net/irda/af_irda.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index fd55b51..83ef96e 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2278,6 +2278,14 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,

switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len< offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2287,15 +2295,9 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,
err = 0;

/* Write total list length back to client */
- if (copy_to_user(optval,&list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval,&list, offset))
err = -EFAULT;

- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len> 2048)
{


Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 02:12 PM
Stefan Bader
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 08:17 PM, Leann Ogasawara wrote:
> The following changes since commit 98e5bbf03976d01a116c000ec141ec7b5325f759:
> Brad Figg (1):
> UBUNTU: Ubuntu-2.6.35-28.50
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2010-4529
>
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> From c67f25c8d3cca155f07f9969112468cee07cdbf9 Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> Date: Wed, 22 Dec 2010 13:58:27 +0000
> Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> CVE-2010-4529
>
> BugLink: http://bugs.launchpad.net/bugs/737823
>
> If the user-provided len is less than the expected offset, the
> IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
> size value. While this isn't be a security issue on x86 because it will
> get caught by the access_ok() check, it may leak large amounts of kernel
> heap on other architectures. In any event, this patch fixes it.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
> index fd55b51..83ef96e 100644
> --- a/net/irda/af_irda.c
> +++ b/net/irda/af_irda.c
> @@ -2278,6 +2278,14 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,
>
> switch (optname) {
> case IRLMP_ENUMDEVICES:
> +
> + /* Offset to first device entry */
> + offset = sizeof(struct irda_device_list) -
> + sizeof(struct irda_device_info);
> +
> + if (len < offset)
> + return -EINVAL;
> +
> /* Ask lmp for the current discovery log */
> discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
> self->nslots);
> @@ -2287,15 +2295,9 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,
> err = 0;
>
> /* Write total list length back to client */
> - if (copy_to_user(optval, &list,
> - sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info)))
> + if (copy_to_user(optval, &list, offset))
> err = -EFAULT;
>
> - /* Offset to first device entry */
> - offset = sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info);
> -
> /* Copy the list itself - watch for overflow */
> if(list.len > 2048)
> {
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 02:13 PM
Stefan Bader
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 08:17 PM, Leann Ogasawara wrote:
> The following changes since commit d524d2d15c73e43c3bbb0a2e63d8c8912aa0cb8f:
> Leann Ogasawara (1):
> igb: only use vlan_gro_receive if vlans are registered, CVE-2010-4263
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-lucid.git CVE-2010-4529
>
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> From 569f2b303a56863f8fb98e57b64a7610d8c768b2 Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> Date: Wed, 22 Dec 2010 13:58:27 +0000
> Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> CVE-2010-4529
>
> BugLink: http://bugs.launchpad.net/bugs/737823
>
> If the user-provided len is less than the expected offset, the
> IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
> size value. While this isn't be a security issue on x86 because it will
> get caught by the access_ok() check, it may leak large amounts of kernel
> heap on other architectures. In any event, this patch fixes it.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
> index b6cef98..476b24e 100644
> --- a/net/irda/af_irda.c
> +++ b/net/irda/af_irda.c
> @@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
>
> switch (optname) {
> case IRLMP_ENUMDEVICES:
> +
> + /* Offset to first device entry */
> + offset = sizeof(struct irda_device_list) -
> + sizeof(struct irda_device_info);
> +
> + if (len < offset)
> + return -EINVAL;
> +
> /* Ask lmp for the current discovery log */
> discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
> self->nslots);
> @@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
> err = 0;
>
> /* Write total list length back to client */
> - if (copy_to_user(optval, &list,
> - sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info)))
> + if (copy_to_user(optval, &list, offset))
> err = -EFAULT;
>
> - /* Offset to first device entry */
> - offset = sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info);
> -
> /* Copy the list itself - watch for overflow */
> if(list.len > 2048)
> {
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 02:14 PM
Stefan Bader
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 08:17 PM, Leann Ogasawara wrote:
> The following changes since commit d57e49668c98881fc4daab39ea71dc24f838ea85:
> Leann Ogasawara (1):
> sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4529
>
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> From bbe20d84f2bc23756faf61ad1ca4e750b41d0e30 Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> Date: Wed, 22 Dec 2010 13:58:27 +0000
> Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> CVE-2010-4529
>
> BugLink: http://bugs.launchpad.net/bugs/737823
>
> If the user-provided len is less than the expected offset, the
> IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
> size value. While this isn't be a security issue on x86 because it will
> get caught by the access_ok() check, it may leak large amounts of kernel
> heap on other architectures. In any event, this patch fixes it.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
> index ad88268..a93afad 100644
> --- a/net/irda/af_irda.c
> +++ b/net/irda/af_irda.c
> @@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
>
> switch (optname) {
> case IRLMP_ENUMDEVICES:
> +
> + /* Offset to first device entry */
> + offset = sizeof(struct irda_device_list) -
> + sizeof(struct irda_device_info);
> +
> + if (len < offset)
> + return -EINVAL;
> +
> /* Ask lmp for the current discovery log */
> discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
> self->nslots);
> @@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
> err = 0;
>
> /* Write total list length back to client */
> - if (copy_to_user(optval, &list,
> - sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info)))
> + if (copy_to_user(optval, &list, offset))
> err = -EFAULT;
>
> - /* Offset to first device entry */
> - offset = sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info);
> -
> /* Copy the list itself - watch for overflow */
> if(list.len > 2048)
> {
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 02:20 PM
Stefan Bader
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 08:17 PM, Leann Ogasawara wrote:
> The following changes since commit 71fe9f31268272cb34fbbfbf5d2dafabf9777eb3:
> Dan Rosenberg (1):
> sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4529
>
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> From c623c0a56b655b717e47e7ca7e0b2c045ac31142 Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> Date: Wed, 22 Dec 2010 13:58:27 +0000
> Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> CVE-2010-4529
>
> BugLink: http://bugs.launchpad.net/bugs/737823
>
> If the user-provided len is less than the expected offset, the
> IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
> size value. While this isn't be a security issue on x86 because it will
> get caught by the access_ok() check, it may leak large amounts of kernel
> heap on other architectures. In any event, this patch fixes it.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
> index 2e8fcd0..eb84170 100644
> --- a/net/irda/af_irda.c
> +++ b/net/irda/af_irda.c
> @@ -2163,6 +2163,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
>
> switch (optname) {
> case IRLMP_ENUMDEVICES:
> +
> + /* Offset to first device entry */
> + offset = sizeof(struct irda_device_list) -
> + sizeof(struct irda_device_info);
> +
> + if (len < offset)
> + return -EINVAL;
> +
> /* Ask lmp for the current discovery log */
> discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
> self->nslots);
> @@ -2172,15 +2180,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
> err = 0;
>
> /* Write total list length back to client */
> - if (copy_to_user(optval, &list,
> - sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info)))
> + if (copy_to_user(optval, &list, offset))
> err = -EFAULT;
>
> - /* Offset to first device entry */
> - offset = sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info);
> -
> /* Copy the list itself - watch for overflow */
> if(list.len > 2048)
> {
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2011, 02:20 PM
Stefan Bader
 
Default irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

On 03/21/2011 08:17 PM, Leann Ogasawara wrote:
> The following changes since commit 41ff5f1360cf8dd8862cabd859a0ee2199ed933b:
> Leann Ogasawara (1):
> econet: Fix crash in aun_incoming(). CVE-2010-4342
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2010-4529
>
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> From cd765a405e0d70b3ddbd5befcc53fd72e0f2bf0a Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> Date: Wed, 22 Dec 2010 13:58:27 +0000
> Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> CVE-2010-4529
>
> BugLink: http://bugs.launchpad.net/bugs/737823
>
> If the user-provided len is less than the expected offset, the
> IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
> size value. While this isn't be a security issue on x86 because it will
> get caught by the access_ok() check, it may leak large amounts of kernel
> heap on other architectures. In any event, this patch fixes it.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backport of upstream commit fdac1e0697356ac212259f2147aa60c72e334861)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> net/irda/af_irda.c | 16 +++++++++-------
> 1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
> index 36789ee..30c2b77 100644
> --- a/net/irda/af_irda.c
> +++ b/net/irda/af_irda.c
> @@ -2158,6 +2158,14 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
>
> switch (optname) {
> case IRLMP_ENUMDEVICES:
> +
> + /* Offset to first device entry */
> + offset = sizeof(struct irda_device_list) -
> + sizeof(struct irda_device_info);
> +
> + if (len < offset)
> + return -EINVAL;
> +
> /* Ask lmp for the current discovery log */
> discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
> self->nslots);
> @@ -2167,15 +2175,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
> err = 0;
>
> /* Write total list length back to client */
> - if (copy_to_user(optval, &list,
> - sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info)))
> + if (copy_to_user(optval, &list, offset))
> err = -EFAULT;
>
> - /* Offset to first device entry */
> - offset = sizeof(struct irda_device_list) -
> - sizeof(struct irda_device_info);
> -
> /* Copy the list itself - watch for overflow */
> if(list.len > 2048)
> {
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 01:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org