[kernel] r9059 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Wed, 04 Jul 2007 07:59:16 -0700 

Author: dannf
Date: Wed Jul  4 14:59:11 2007
New Revision: 9059

Log:
* bugfix/usblcd-limit-memory-consumption.patch
  [SECURITY] limit memory consumption during write in the usblcd driver
  See CVE-2007-3513

Added:
   
dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Wed Jul  4 14:59:11 2007
@@ -6,8 +6,11 @@
   * bugfix/fat-move-ioctl-compat-code.patch, bugfix/fat-fix-compat-ioctls.patch
     [SECURITY] Fix kernel_dirent corruption in the compat layer for fat ioctls
     See CVE-2007-2878
+  * bugfix/usblcd-limit-memory-consumption.patch
+    [SECURITY] limit memory consumption during write in the usblcd driver
+    See CVE-2007-3513
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 23 Jun 2007 18:38:19 +0100
+ -- dann frazier <[EMAIL PROTECTED]>  Wed, 04 Jul 2007 08:57:36 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/usblcd-limit-memory-consumption.patch
   Wed Jul  4 14:59:11 2007
@@ -0,0 +1,88 @@
+From: Oliver Neukum <[EMAIL PROTECTED]>
+Date: Mon, 11 Jun 2007 13:36:02 +0000 (+0200)
+Subject: USB: usblcd doesn't limit memory consumption during write
+X-Git-Tag: v2.6.22-rc7~49^2~3
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5afeb104e7901168b21aad0437fb51dc620dfdd3
+
+USB: usblcd doesn't limit memory consumption during write
+
+usblcd currently has no way to limit memory consumption by fast writers.
+This is a security problem, as it allows users with write access to this
+device to drive the system into oom despite resource limits.
+Here's the fix taken from the modern skeleton driver.
+
+Signed-off-by: Oliver Neukum <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+---
+
+diff --git a/drivers/usb/misc/usblcd.c b/drivers/usb/misc/usblcd.c
+index 887ef95..12bad8a 100644
+--- a/drivers/usb/misc/usblcd.c
++++ b/drivers/usb/misc/usblcd.c
+@@ -42,10 +42,14 @@ struct usb_lcd {
+       size_t                  bulk_in_size;           /* the size of the 
receive buffer */
+       __u8                    bulk_in_endpointAddr;   /* the address of the 
bulk in endpoint */
+       __u8                    bulk_out_endpointAddr;  /* the address of the 
bulk out endpoint */
+-      struct kref             kref;
++      struct kref             kref;
++      struct semaphore        limit_sem;              /* to stop writes at 
full throttle from
++                                                       * using up all RAM */
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+ 
++#define USB_LCD_CONCURRENT_WRITES     5
++
+ static struct usb_driver lcd_driver;
+ static DEFINE_MUTEX(usb_lcd_open_mutex);
+ 
+@@ -186,12 +190,13 @@ static void lcd_write_bulk_callback(struct urb *urb)
+       /* free up our allocated buffer */
+       usb_buffer_free(urb->dev, urb->transfer_buffer_length,
+                       urb->transfer_buffer, urb->transfer_dma);
++      up(&dev->limit_sem);
+ }
+ 
+ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, 
size_t count, loff_t *ppos)
+ {
+       struct usb_lcd *dev;
+-        int retval = 0;
++        int retval = 0, r;
+       struct urb *urb = NULL;
+       char *buf = NULL;
+       
+@@ -201,10 +206,16 @@ static ssize_t lcd_write(struct file *file, const char 
__user * user_buffer, siz
+       if (count == 0)
+               goto exit;
+ 
++      r = down_interruptible(&dev->limit_sem);
++      if (r < 0)
++              return -EINTR;
++
+       /* create a urb, and a buffer for it, and copy the data to the urb */
+       urb = usb_alloc_urb(0, GFP_KERNEL);
+-      if (!urb)
+-              return -ENOMEM;
++      if (!urb) {
++              retval = -ENOMEM;
++              goto err_no_buf;
++      }
+       
+       buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, 
&urb->transfer_dma);
+       if (!buf) {
+@@ -239,6 +250,8 @@ exit:
+ error:
+       usb_buffer_free(dev->udev, count, buf, urb->transfer_dma);
+       usb_free_urb(urb);
++err_no_buf:
++      up(&dev->limit_sem);
+       return retval;
+ }
+ 
+@@ -277,6 +290,7 @@ static int lcd_probe(struct usb_interface *interface, 
const struct usb_device_id
+               goto error;
+       }
+       kref_init(&dev->kref);
++      sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
+ 
+       dev->udev = usb_get_dev(interface_to_usbdev(interface));
+       dev->interface = interface;

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch3 Wed Jul  4 
14:59:11 2007
@@ -1,3 +1,4 @@
 + bugfix/bluetooth-l2cap-hci-info-leaks.patch
 + bugfix/fat-move-ioctl-compat-code.patch
 + bugfix/fat-fix-compat-ioctls.patch
++ bugfix/usblcd-limit-memory-consumption.patch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to