[kernel] r19989 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Apr 28 20:51:47 UTC 2013

Author: benh
Date: Sun Apr 28 20:51:47 2013
New Revision: 19989

Log:
fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check (CVE-2013-1928)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 28 20:36:59 2013	(r19988)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 28 20:51:47 2013	(r19989)
@@ -34,6 +34,8 @@
   * USB: cdc-wdm: fix buffer overflow (CVE-2013-1860)
   * dcbnl: Fix netlink info leak (CVE-2013-2634)
   * intel-iommu: Flush unmaps at domain_exit
+  * fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
+    (CVE-2013-1928)
 
  -- dann frazier <dannf at dannf.org>  Mon, 11 Mar 2013 08:47:43 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch	Sun Apr 28 20:51:47 2013	(r19989)
@@ -0,0 +1,35 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Thu, 25 Oct 2012 13:38:16 -0700
+Subject: fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
+
+commit 12176503366885edd542389eed3aaf94be163fdb upstream.
+
+The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
+while converting ioctl arguments.  This could lead to leaking kernel
+stack contents into userspace.
+
+Patch extracted from existing fix in grsecurity.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: David Miller <davem at davemloft.net>
+Cc: Brad Spengler <spender at grsecurity.net>
+Cc: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/compat_ioctl.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
+index f505402..4c6285f 100644
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd,
+ 
+ 	err  = get_user(palp, &up->palette);
+ 	err |= get_user(length, &up->length);
++	if (err)
++		return -EFAULT;
+ 
+ 	up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
+ 	err  = put_user(compat_ptr(palp), &up_native->palette);

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sun Apr 28 20:36:59 2013	(r19988)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sun Apr 28 20:51:47 2013	(r19989)
@@ -34,3 +34,4 @@
 + bugfix/all/USB-cdc-wdm-fix-buffer-overflow.patch
 + bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
 + bugfix/all/intel-iommu-Flush-unmaps-at-domain_exit.patch
++ bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch

