Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
This commit is contained in:
Chuck Ebbert
parent
07dec24ea7
commit
fdc263cb21
|
|
@ -0,0 +1,28 @@
|
|||
From: Vasiliy Kulikov <segoon@openwall.com>
|
||||
Date: Mon, 14 Feb 2011 10:54:31 +0000 (+0300)
|
||||
Subject: Bluetooth: bnep: fix buffer overflow
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=43629f8f5ea32a998d06d1bb41eefa0e821ff573
|
||||
|
||||
Bluetooth: bnep: fix buffer overflow
|
||||
|
||||
Struct ca is copied from userspace. It is not checked whether the "device"
|
||||
field is NULL terminated. This potentially leads to BUG() inside of
|
||||
alloc_netdev_mqs() and/or information leak by creating a device with a name
|
||||
made of contents of kernel stack.
|
||||
|
||||
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
|
||||
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
||||
---
|
||||
|
||||
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
|
||||
index 2862f53..d935da7 100644
|
||||
--- a/net/bluetooth/bnep/sock.c
|
||||
+++ b/net/bluetooth/bnep/sock.c
|
||||
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
|
||||
sockfd_put(nsock);
|
||||
return -EBADFD;
|
||||
}
|
||||
+ ca.device[sizeof(ca.device)-1] = 0;
|
||||
|
||||
err = bnep_add_connection(&ca, nsock);
|
||||
if (!err) {
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -848,6 +848,9 @@ Patch13952: drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch
|
|||
|
||||
Patch13955: virtio_net-add-schedule-check-to-napi_enable-call.patch
|
||||
|
||||
# cve-2011-1079
|
||||
Patch13956: bluetooth-bnep-fix-buffer-overflow.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1605,6 +1608,9 @@ ApplyPatch drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch
|
|||
|
||||
ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch
|
||||
|
||||
# cve-2011-1079
|
||||
ApplyPatch bluetooth-bnep-fix-buffer-overflow.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2225,7 +2231,10 @@ fi
|
|||
%kernel_variant_files %{with_pae_debug} PAEdebug
|
||||
|
||||
%changelog
|
||||
* Sun Apr 17 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.34.9-69
|
||||
* Fri Apr 29 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.34.9-69
|
||||
- Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
|
||||
|
||||
* Sun Apr 17 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Linux 2.6.34.9
|
||||
- Fix up drm-next.patch to apply on top of cda4b7d3a, e06b14ee9
|
||||
- Un-revert 6a1a82df9 from upstream
|
||||
|
|
|
|||
Loading…
Reference in New Issue