Author: dannf Date: Wed Jan 16 07:02:02 2008 New Revision: 10121 Log: * bugfix/proc-snd-page-alloc-mem-leak.patch [SECURITY] Fix an issue in the alsa subsystem that allows a local user to read potentially sensitive kernel memory from the proc filesystem See CVE-2007-4571
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/17etch1 Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Wed Jan 16 07:02:02 2008 @@ -11,6 +11,10 @@ [SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer for fat ioctls See CVE-2007-2878 + * bugfix/proc-snd-page-alloc-mem-leak.patch + [SECURITY] Fix an issue in the alsa subsystem that allows a local user + to read potentially sensitive kernel memory from the proc filesystem + See CVE-2007-4571 -- dann frazier <[EMAIL PROTECTED]> Tue, 15 Jan 2008 16:44:15 -0700 Added: dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/proc-snd-page-alloc-mem-leak.patch Wed Jan 16 07:02:02 2008 @@ -0,0 +1,169 @@ +From: Takashi Iwai <[EMAIL PROTECTED]> +Date: Mon, 17 Sep 2007 19:55:10 +0000 (+0200) +Subject: Convert snd-page-alloc proc file to use seq_file +X-Git-Tag: v2.6.23-rc8~3 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ccec6e2c4a74adf76ed4e2478091a311b1806212;hp=7bae705ef2c2daac1993de03e5be93b5c300fc5e + +Convert snd-page-alloc proc file to use seq_file + +Use seq_file for the proc file read/write of snd-page-alloc module. +This automatically fixes bugs in the old proc code. + +Signed-off-by: Takashi Iwai <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.18 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN linux-source-2.6.18.orig/sound/core/memalloc.c linux-source-2.6.18/sound/core/memalloc.c +--- linux-source-2.6.18.orig/sound/core/memalloc.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/sound/core/memalloc.c 2007-09-25 17:53:01.000000000 -0600 +@@ -27,6 +27,7 @@ + #include <linux/pci.h> + #include <linux/slab.h> + #include <linux/mm.h> ++#include <linux/seq_file.h> + #include <asm/uaccess.h> + #include <linux/dma-mapping.h> + #include <linux/moduleparam.h> +@@ -483,10 +484,8 @@ static void free_all_reserved_pages(void + #define SND_MEM_PROC_FILE "driver/snd-page-alloc" + static struct proc_dir_entry *snd_mem_proc; + +-static int snd_mem_proc_read(char *page, char **start, off_t off, +- int count, int *eof, void *data) ++static int snd_mem_proc_read(struct seq_file *seq, void *offset) + { +- int len = 0; + long pages = snd_allocated_pages >> (PAGE_SHIFT-12); + struct list_head *p; + struct snd_mem_list *mem; +@@ -494,44 +493,47 @@ static int snd_mem_proc_read(char *page, + static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" }; + + mutex_lock(&list_mutex); +- len += snprintf(page + len, count - len, +- "pages : %li bytes (%li pages per %likB)\n", +- pages * PAGE_SIZE, pages, PAGE_SIZE / 1024); ++ seq_printf(seq, "pages : %li bytes (%li pages per %likB)\n", ++ pages * PAGE_SIZE, pages, PAGE_SIZE / 1024); + devno = 0; + list_for_each(p, &mem_list_head) { + mem = list_entry(p, struct snd_mem_list, list); + devno++; +- len += snprintf(page + len, count - len, +- "buffer %d : ID %08x : type %s\n", +- devno, mem->id, types[mem->buffer.dev.type]); +- len += snprintf(page + len, count - len, +- " addr = 0x%lx, size = %d bytes\n", +- (unsigned long)mem->buffer.addr, (int)mem->buffer.bytes); ++ seq_printf(seq, "buffer %d : ID %08x : type %s\n", ++ devno, mem->id, types[mem->buffer.dev.type]); ++ seq_printf(seq, " addr = 0x%lx, size = %d bytes\n", ++ (unsigned long)mem->buffer.addr, ++ (int)mem->buffer.bytes); + } + mutex_unlock(&list_mutex); +- return len; ++ return 0; ++} ++ ++static int snd_mem_proc_open(struct inode *inode, struct file *file) ++{ ++ return single_open(file, snd_mem_proc_read, NULL); + } + + /* FIXME: for pci only - other bus? */ + #ifdef CONFIG_PCI + #define gettoken(bufp) strsep(bufp, " \t\n") + +-static int snd_mem_proc_write(struct file *file, const char __user *buffer, +- unsigned long count, void *data) ++static ssize_t snd_mem_proc_write(struct file *file, const char __user * buffer, ++ size_t count, loff_t * ppos) + { + char buf[128]; + char *token, *p; + +- if (count > ARRAY_SIZE(buf) - 1) +- count = ARRAY_SIZE(buf) - 1; ++ if (count > sizeof(buf) - 1) ++ return -EINVAL; + if (copy_from_user(buf, buffer, count)) + return -EFAULT; +- buf[ARRAY_SIZE(buf) - 1] = '\0'; ++ buf[count] = '\0'; + + p = buf; + token = gettoken(&p); + if (! token || *token == '#') +- return (int)count; ++ return count; + if (strcmp(token, "add") == 0) { + char *endp; + int vendor, device, size, buffers; +@@ -552,7 +554,7 @@ static int snd_mem_proc_write(struct fil + (buffers = simple_strtol(token, NULL, 0)) <= 0 || + buffers > 4) { + printk(KERN_ERR "snd-page-alloc: invalid proc write format\n"); +- return (int)count; ++ return count; + } + vendor &= 0xffff; + device &= 0xffff; +@@ -564,7 +566,7 @@ static int snd_mem_proc_write(struct fil + if (pci_set_dma_mask(pci, mask) < 0 || + pci_set_consistent_dma_mask(pci, mask) < 0) { + printk(KERN_ERR "snd-page-alloc: cannot set DMA mask %lx for pci %04x:%04x\n", mask, vendor, device); +- return (int)count; ++ return count; + } + } + for (i = 0; i < buffers; i++) { +@@ -574,7 +576,7 @@ static int snd_mem_proc_write(struct fil + size, &dmab) < 0) { + printk(KERN_ERR "snd-page-alloc: cannot allocate buffer pages (size = %d)\n", size); + pci_dev_put(pci); +- return (int)count; ++ return count; + } + snd_dma_reserve_buf(&dmab, snd_dma_pci_buf_id(pci)); + } +@@ -600,9 +602,21 @@ static int snd_mem_proc_write(struct fil + free_all_reserved_pages(); + else + printk(KERN_ERR "snd-page-alloc: invalid proc cmd\n"); +- return (int)count; ++ return count; + } + #endif /* CONFIG_PCI */ ++ ++static const struct file_operations snd_mem_proc_fops = { ++ .owner = THIS_MODULE, ++ .open = snd_mem_proc_open, ++ .read = seq_read, ++#ifdef CONFIG_PCI ++ .write = snd_mem_proc_write, ++#endif ++ .llseek = seq_lseek, ++ .release = single_release, ++}; ++ + #endif /* CONFIG_PROC_FS */ + + /* +@@ -613,12 +627,8 @@ static int __init snd_mem_init(void) + { + #ifdef CONFIG_PROC_FS + snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL); +- if (snd_mem_proc) { +- snd_mem_proc->read_proc = snd_mem_proc_read; +-#ifdef CONFIG_PCI +- snd_mem_proc->write_proc = snd_mem_proc_write; +-#endif +- } ++ if (snd_mem_proc) ++ snd_mem_proc->proc_fops = &snd_mem_proc_fops; + #endif + return 0; + } Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1 ============================================================================== --- dists/etch-security/linux-2.6/debian/patches/series/17etch1 (original) +++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Wed Jan 16 07:02:02 2008 @@ -2,3 +2,4 @@ + bugfix/vfs-use-access-mode-flag.patch + bugfix/fat-move-ioctl-compat-code.patch + bugfix/fat-fix-compat-ioctls.patch ++ bugfix/proc-snd-page-alloc-mem-leak.patch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes