[kernel] r17581 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jun 2 04:40:04 UTC 2011
Author: dannf
Date: Thu Jun 2 04:40:02 2011
New Revision: 17581
Log:
sound/oss: remove offset from load_patch callbacks (CVE-2011-1476)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Jun 2 03:38:54 2011 (r17580)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Jun 2 04:40:02 2011 (r17581)
@@ -31,6 +31,7 @@
* net: ax25: improve information leak to userland fix, a further fix
for CVE-2010-3875
* char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
+ * sound/oss: remove offset from load_patch callbacks (CVE-2011-1476)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch Thu Jun 2 04:40:02 2011 (r17581)
@@ -0,0 +1,150 @@
+commit b769f49463711205d57286e64cf535ed4daf59e9
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Mar 23 10:53:41 2011 -0400
+
+ sound/oss: remove offset from load_patch callbacks
+
+ Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
+ uninitialized value, and signedness issue
+
+ The offset passed to midi_synth_load_patch() can be essentially
+ arbitrary. If it's greater than the header length, this will result in
+ a copy_from_user(dst, src, negative_val). While this will just return
+ -EFAULT on x86, on other architectures this may cause memory corruption.
+ Additionally, the length field of the sysex_info structure may not be
+ initialized prior to its use. Finally, a signed comparison may result
+ in an unintentionally large loop.
+
+ On suggestion by Takashi Iwai, version two removes the offset argument
+ from the load_patch callbacks entirely, which also resolves similar
+ issues in opl3. Compile tested only.
+
+ v3 adjusts comments and hopefully gets copy offsets right.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/oss/dev_table.h b/sound/oss/dev_table.h
+index b7617be..0199a31 100644
+--- a/sound/oss/dev_table.h
++++ b/sound/oss/dev_table.h
+@@ -271,7 +271,7 @@ struct synth_operations
+ void (*reset) (int dev);
+ void (*hw_control) (int dev, unsigned char *event);
+ int (*load_patch) (int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag);
++ int count, int pmgr_flag);
+ void (*aftertouch) (int dev, int voice, int pressure);
+ void (*controller) (int dev, int voice, int ctrl_num, int value);
+ void (*panning) (int dev, int voice, int value);
+diff --git a/sound/oss/midi_synth.c b/sound/oss/midi_synth.c
+index 3c09374..2292c23 100644
+--- a/sound/oss/midi_synth.c
++++ b/sound/oss/midi_synth.c
+@@ -476,7 +476,7 @@ EXPORT_SYMBOL(midi_synth_hw_control);
+
+ int
+ midi_synth_load_patch(int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag)
++ int count, int pmgr_flag)
+ {
+ int orig_dev = synth_devs[dev]->midi_dev;
+
+@@ -491,33 +491,29 @@ midi_synth_load_patch(int dev, int format, const char __user *addr,
+ if (!prefix_cmd(orig_dev, 0xf0))
+ return 0;
+
++ /* Invalid patch format */
+ if (format != SYSEX_PATCH)
+- {
+-/* printk("MIDI Error: Invalid patch format (key) 0x%x\n", format);*/
+ return -EINVAL;
+- }
++
++ /* Patch header too short */
+ if (count < hdr_size)
+- {
+-/* printk("MIDI Error: Patch header too short\n");*/
+ return -EINVAL;
+- }
++
+ count -= hdr_size;
+
+ /*
+- * Copy the header from user space but ignore the first bytes which have
+- * been transferred already.
++ * Copy the header from user space
+ */
+
+- if(copy_from_user(&((char *) &sysex)[offs], &(addr)[offs], hdr_size - offs))
++ if (copy_from_user(&sysex, addr, hdr_size))
+ return -EFAULT;
+-
+- if (count < sysex.len)
+- {
+-/* printk(KERN_WARNING "MIDI Warning: Sysex record too short (%d<%d)\n", count, (int) sysex.len);*/
++
++ /* Sysex record too short */
++ if ((unsigned)count < (unsigned)sysex.len)
+ sysex.len = count;
+- }
+- left = sysex.len;
+- src_offs = 0;
++
++ left = sysex.len;
++ src_offs = 0;
+
+ for (i = 0; i < left && !signal_pending(current); i++)
+ {
+diff --git a/sound/oss/midi_synth.h b/sound/oss/midi_synth.h
+index 6bc9d00..b64ddd6 100644
+--- a/sound/oss/midi_synth.h
++++ b/sound/oss/midi_synth.h
+@@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode);
+ void midi_synth_close (int dev);
+ void midi_synth_hw_control (int dev, unsigned char *event);
+ int midi_synth_load_patch (int dev, int format, const char __user * addr,
+- int offs, int count, int pmgr_flag);
++ int count, int pmgr_flag);
+ void midi_synth_panning (int dev, int channel, int pressure);
+ void midi_synth_aftertouch (int dev, int channel, int pressure);
+ void midi_synth_controller (int dev, int channel, int ctrl_num, int value);
+diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
+index 938c48c..cbf9574 100644
+--- a/sound/oss/opl3.c
++++ b/sound/oss/opl3.c
+@@ -820,7 +820,7 @@ static void opl3_hw_control(int dev, unsigned char *event)
+ }
+
+ static int opl3_load_patch(int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag)
++ int count, int pmgr_flag)
+ {
+ struct sbi_instrument ins;
+
+@@ -830,11 +830,7 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
+ return -EINVAL;
+ }
+
+- /*
+- * What the fuck is going on here? We leave junk in the beginning
+- * of ins and then check the field pretty close to that beginning?
+- */
+- if(copy_from_user(&((char *) &ins)[offs], addr + offs, sizeof(ins) - offs))
++ if (copy_from_user(&ins, addr, sizeof(ins)))
+ return -EFAULT;
+
+ if (ins.channel < 0 || ins.channel >= SBFM_MAXINSTR)
+diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c
+index 5ea1098..30bcfe4 100644
+--- a/sound/oss/sequencer.c
++++ b/sound/oss/sequencer.c
+@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file *file, const char __user *buf, int coun
+ return -ENXIO;
+
+ fmt = (*(short *) &event_rec[0]) & 0xffff;
+- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0);
++ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0);
+ if (err < 0)
+ return err;
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Thu Jun 2 03:38:54 2011 (r17580)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Thu Jun 2 04:40:02 2011 (r17581)
@@ -28,3 +28,4 @@
+ bugfix/all/serial_core-clean-data-before-filling-it.patch
+ bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
+ bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
++ bugfix/all/sound-oss-remove-offset-from-load_patch-callbacks.patch
More information about the Kernel-svn-changes
mailing list