This is a note to let you know that I've just added the patch titled
irda: prevent integer underflow in IRLMP_ENUMDEVICES
to the 2.6.33-longterm tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.33.git;a=summary
The filename of the patch is:
irda-prevent-integer-underflow-in-irlmp_enumdevices.patch
and it can be found in the queue-2.6.33 subdirectory.
If you, or anyone else, feels it should not be added to the 2.6.33 longterm
tree,
please let <[email protected]> know about it.
>From fdac1e0697356ac212259f2147aa60c72e334861 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <[email protected]>
Date: Wed, 22 Dec 2010 13:58:27 +0000
Subject: irda: prevent integer underflow in IRLMP_ENUMDEVICES
From: Dan Rosenberg <[email protected]>
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/irda/af_irda.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2277,6 +2277,14 @@ static int __irda_getsockopt(struct sock
switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len < offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2286,15 +2294,9 @@ static int __irda_getsockopt(struct sock
err = 0;
/* Write total list length back to client */
- if (copy_to_user(optval, &list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval, &list, offset))
err = -EFAULT;
- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len > 2048)
{
Patches currently in longterm-queue-2.6.33 which might be from
[email protected] are
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/sound-oss-remove-offset-from-load_patch-callbacks.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/rose-prevent-heap-corruption-with-bad-facilities.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/xfs-prevent-leaking-uninitialized-stack-memory-in-fsgeometry_v1.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/irda-prevent-heap-corruption-on-invalid-nickname.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/irda-validate-peer-name-and-attribute-lengths.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/sound-oss-opl3-validate-voice-and-channel-indexes.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/irda-prevent-integer-underflow-in-irlmp_enumdevices.patch
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/can-use-inode-instead-of-kernel-address-for-proc-file.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
