[kernel/f12/master] irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954)

Chuck Ebbert cebbert at fedoraproject.org
Thu Sep 2 15:48:35 UTC 2010 

commit b9204c294cb0512e7ec4c1480276126d8a40d6c3
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Thu Sep 2 11:44:20 2010 -0400

    irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954)

 ...lean-up-self-ias_obj-on-irda_bind-failure.patch |   35 ++++++++++++++++++++
 kernel.spec                                        |   10 +++++-
 2 files changed, 44 insertions(+), 1 deletions(-)
---
diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
new file mode 100644
index 0000000..a36f8af
--- /dev/null
+++ b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
@@ -0,0 +1,35 @@
+From: David S. Miller <davem at davemloft.net>
+Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
+Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
+
+irda: Correctly clean up self->ias_obj on irda_bind() failure.
+
+If irda_open_tsap() fails, the irda_bind() code tries to destroy
+the ->ias_obj object by hand, but does so wrongly.
+
+In particular, it fails to a) release the hashbin attached to the
+object and b) reset the self->ias_obj pointer to NULL.
+
+Fix both problems by using irias_delete_object() and explicitly
+setting self->ias_obj to NULL, just as irda_release() does.
+
+Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 79986a6..fd55b51 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 
+ 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ 	if (err < 0) {
+-		kfree(self->ias_obj->name);
+-		kfree(self->ias_obj);
++		irias_delete_object(self->ias_obj);
++		self->ias_obj = NULL;
+ 		return err;
+ 	}
+ 
diff --git a/kernel.spec b/kernel.spec
index e065086..6f31900 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -47,7 +47,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 166
+%global baserelease 167
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -838,6 +838,8 @@ Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch
 Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
 
+Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+
 # ==============================================================================
 %endif
 
@@ -1545,6 +1547,9 @@ ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch
 ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
 
+# CVE-2010-2954
+ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+
 # END OF PATCH APPLICATIONS ====================================================
 %endif
 
@@ -2197,6 +2202,9 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Thu Sep 02 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.32.21-167
+- irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954)
+
 * Fri Aug 27 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.32.21-166
 - Linux 2.6.32.21

More information about the scm-commits mailing list