[Secure-testing-team] Re: Three more security problems in the 2.6
kernel
Horms
horms at debian.org
Tue Oct 11 05:31:40 UTC 2005
On Sun, Oct 09, 2005 at 12:18:54PM +0200, Moritz Muehlenhoff wrote:
> Hi Horms / security team,
> I found three more security related reports/patches on linux-kernel.
As mentioned elsewhere, the first (request_key_auth memleek) is CAN-2005-3119.
Can we get CAN numbers for the other two?
>
> Cheers,
> Moritz
>
> From: David Howells <dhowells at redhat.com>
>
> Plug request_key_auth memleak. This can be triggered by unprivileged
> users, so is local DoS.
>
> Signed-off-by: Chris Wright <chrisw at osdl.org>
> Signed-Off-By: David Howells <dhowells at redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> ---
> security/keys/request_key_auth.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --- linux-2.6.13.y.orig/security/keys/request_key_auth.c
> +++ linux-2.6.13.y/security/keys/request_key_auth.c
> @@ -96,6 +96,7 @@ static void request_key_auth_destroy(str
> kenter("{%d}", key->serial);
>
> key_put(rka->target_key);
> + kfree(rka);
>
> } /* end request_key_auth_destroy() */
>
>
> From: Dave Jones <davej at redhat.com>
>
> Please consider for next 2.6.13, it is a minor security issue allowing
> users to turn on drm debugging when they shouldn't...
>
> This fell through the cracks. Until Josh pointed me at
> http://bugs.gentoo.org/show_bug.cgi?id=107893
>
> Signed-off-by: Chris Wright <chrisw at osdl.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> ---
> drivers/char/drm/drm_stub.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- linux-2.6.13.y.orig/drivers/char/drm/drm_stub.c
> +++ linux-2.6.13.y/drivers/char/drm/drm_stub.c
> @@ -47,7 +47,7 @@ MODULE_PARM_DESC(cards_limit, "Maximum n
> MODULE_PARM_DESC(debug, "Enable debug output");
>
> module_param_named(cards_limit, drm_cards_limit, int, 0444);
> -module_param_named(debug, drm_debug, int, 0666);
> +module_param_named(debug, drm_debug, int, 0600);
>
> drm_head_t **drm_heads;
> struct drm_sysfs_class *drm_class;
>
>
> From: Pavel Roskin <proski at gnu.org>
>
> The orinoco driver can send uninitialized data exposing random pieces of
> the system memory. This happens because data is not padded with zeroes
> when its length needs to be increased.
>
> Reported by Meder Kydyraliev <meder at o0o.nu>
>
> Signed-off-by: Pavel Roskin <proski at gnu.org>
> Signed-off-by: Chris Wright <chrisw at osdl.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> ---
> drivers/net/wireless/orinoco.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> --- linux-2.6.13.y.orig/drivers/net/wireless/orinoco.c
> +++ linux-2.6.13.y/drivers/net/wireless/orinoco.c
> @@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff *
> return 0;
> }
>
> - /* Length of the packet body */
> - /* FIXME: what if the skb is smaller than this? */
> - len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
> + /* Check packet length, pad short packets, round up odd length */
> + len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
> + if (skb->len < len) {
> + skb = skb_padto(skb, len);
> + if (skb == NULL)
> + goto fail;
> + }
> + len -= ETH_HLEN;
>
> eh = (struct ethhdr *)skb->data;
>
> @@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff *
> p = skb->data;
> }
>
> - /* Round up for odd length packets */
> - err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
> + err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
> txfid, data_off);
> if (err) {
> printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
--
Horms
More information about the Secure-testing-team
mailing list