Author: horms Date: Thu Jan 5 08:13:55 2006 New Revision: 5264 Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff Log: * [SECURITY] Information leak in sdla From 2.6.6 See CVE-2004-2607 200_net_sdla_xfer_leak.diff
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff ============================================================================== --- (empty file) +++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/200_net_sdla_xfer_leak.diff Thu Jan 5 08:13:55 2006 @@ -0,0 +1,52 @@ +From: Chris Wright <[EMAIL PROTECTED]> +Date: Mon, 19 Apr 2004 08:26:30 +0000 (-0400) +Subject: [PATCH] wan sdla: fix probable security hole +X-Git-Tag: v2.6.6-rc2 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2 + +[PATCH] wan sdla: fix probable security hole + +> [BUG] minor +> /home/kash/linux/linux-2.6.5/drivers/net/wan/sdla.c:1206:sdla_xfer: +> ERROR:TAINT: 1201:1206:Passing unbounded user value "(mem).len" as arg 0 +> to function "kmalloc", which uses it unsafely in model +> [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] +> [SINK_MODEL=(lib,kmalloc,user,trustingsink)] [MINOR] [PATH=] [Also +> used at, line 1219 in argument 0 to function "kmalloc"] +> static int sdla_xfer(struct net_device *dev, struct sdla_mem *info, int +> read) +> { +> struct sdla_mem mem; +> char *temp; +> +> Start ---> +> if(copy_from_user(&mem, info, sizeof(mem))) +> return -EFAULT; +> +> if (read) +> { +> Error ---> +> temp = kmalloc(mem.len, GFP_KERNEL); +> if (!temp) +> return(-ENOMEM); +> sdla_read(dev, mem.addr, temp, mem.len); + +Hrm, I believe you could use this to read 128k of kernel memory. +sdla_read() takes len as a short, whereas mem.len is an int. So, +if mem.len == 0x20000, the allocation could still succeed. When cast +to short, len will be 0x0, causing the read loop to copy nothing into +the buffer. At least it's protected by a capable() check. I don't +know what proper upper bound is for this hardware, or how much it's +used/cared about. Simple memset() is trivial fix. +--- + +--- a/drivers/net/wan/sdla.c ++++ b/drivers/net/wan/sdla.c +@@ -1206,6 +1206,7 @@ static int sdla_xfer(struct net_device * + temp = kmalloc(mem.len, GFP_KERNEL); + if (!temp) + return(-ENOMEM); ++ memset(temp, 0, mem.len); + sdla_read(dev, mem.addr, temp, mem.len); + if(copy_to_user(mem.data, temp, mem.len)) + { _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes