Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
This commit is contained in:
parent
07dec24ea7
commit
fdc263cb21
28
bluetooth-bnep-fix-buffer-overflow.patch
Normal file
28
bluetooth-bnep-fix-buffer-overflow.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From: Vasiliy Kulikov <segoon@openwall.com>
|
||||||
|
Date: Mon, 14 Feb 2011 10:54:31 +0000 (+0300)
|
||||||
|
Subject: Bluetooth: bnep: fix buffer overflow
|
||||||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=43629f8f5ea32a998d06d1bb41eefa0e821ff573
|
||||||
|
|
||||||
|
Bluetooth: bnep: fix buffer overflow
|
||||||
|
|
||||||
|
Struct ca is copied from userspace. It is not checked whether the "device"
|
||||||
|
field is NULL terminated. This potentially leads to BUG() inside of
|
||||||
|
alloc_netdev_mqs() and/or information leak by creating a device with a name
|
||||||
|
made of contents of kernel stack.
|
||||||
|
|
||||||
|
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
|
||||||
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
|
||||||
|
index 2862f53..d935da7 100644
|
||||||
|
--- a/net/bluetooth/bnep/sock.c
|
||||||
|
+++ b/net/bluetooth/bnep/sock.c
|
||||||
|
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
|
||||||
|
sockfd_put(nsock);
|
||||||
|
return -EBADFD;
|
||||||
|
}
|
||||||
|
+ ca.device[sizeof(ca.device)-1] = 0;
|
||||||
|
|
||||||
|
err = bnep_add_connection(&ca, nsock);
|
||||||
|
if (!err) {
|
11
kernel.spec
11
kernel.spec
@ -848,6 +848,9 @@ Patch13952: drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch
|
|||||||
|
|
||||||
Patch13955: virtio_net-add-schedule-check-to-napi_enable-call.patch
|
Patch13955: virtio_net-add-schedule-check-to-napi_enable-call.patch
|
||||||
|
|
||||||
|
# cve-2011-1079
|
||||||
|
Patch13956: bluetooth-bnep-fix-buffer-overflow.patch
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||||
@ -1605,6 +1608,9 @@ ApplyPatch drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch
|
|||||||
|
|
||||||
ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch
|
ApplyPatch virtio_net-add-schedule-check-to-napi_enable-call.patch
|
||||||
|
|
||||||
|
# cve-2011-1079
|
||||||
|
ApplyPatch bluetooth-bnep-fix-buffer-overflow.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2225,7 +2231,10 @@ fi
|
|||||||
%kernel_variant_files %{with_pae_debug} PAEdebug
|
%kernel_variant_files %{with_pae_debug} PAEdebug
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sun Apr 17 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.34.9-69
|
* Fri Apr 29 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.34.9-69
|
||||||
|
- Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
|
||||||
|
|
||||||
|
* Sun Apr 17 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||||
- Linux 2.6.34.9
|
- Linux 2.6.34.9
|
||||||
- Fix up drm-next.patch to apply on top of cda4b7d3a, e06b14ee9
|
- Fix up drm-next.patch to apply on top of cda4b7d3a, e06b14ee9
|
||||||
- Un-revert 6a1a82df9 from upstream
|
- Un-revert 6a1a82df9 from upstream
|
||||||
|
Loading…
Reference in New Issue
Block a user