[kernel/f15] CVE-2011-2497: kernel: bluetooth: buffer overflow in l2cap config request
Chuck Ebbert
cebbert at fedoraproject.org
Wed Jul 6 13:13:12 UTC 2011
commit 10aa0c1bf70fb514608f23a83b8388fff92ea63d
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Wed Jul 6 09:13:22 2011 -0400
CVE-2011-2497: kernel: bluetooth: buffer overflow in l2cap config request
...t-buffer-overflow-in-l2cap-config-request.patch | 32 ++++++++++++++++++++
kernel.spec | 7 +++-
2 files changed, 37 insertions(+), 2 deletions(-)
---
diff --git a/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch b/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
new file mode 100644
index 0000000..5cc80c7
--- /dev/null
+++ b/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
@@ -0,0 +1,32 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri, 24 Jun 2011 12:38:05 +0000 (-0400)
+Subject: Bluetooth: Prevent buffer overflow in l2cap config request
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fpadovan%2Fbluetooth-2.6.git;a=commitdiff_plain;h=7ac28817536797fd40e9646452183606f9e17f71
+
+Bluetooth: Prevent buffer overflow in l2cap config request
+[ backport to 2.6.38 ]
+
+A remote user can provide a small value for the command size field in
+the command header of an l2cap configuration request, resulting in an
+integer underflow when subtracting the size of the configuration request
+header. This results in copying a very large amount of data via
+memcpy() and destroying the kernel heap. Check for underflow.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+---
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 56fdd91..7d8a66b 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -3116,7 +3116,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
diff --git a/kernel.spec b/kernel.spec
index 5b47d3b..baa589c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -773,7 +773,7 @@ Patch12404: x86-pci-preserve-existing-pci-bfsort-whitelist-for-dell-systems.patc
Patch12407: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
Patch12416: bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
-
+Patch12417: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
Patch12418: ath5k-disable-fast-channel-switching-by-default.patch
Patch12419: iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch
@@ -1332,6 +1332,9 @@ ApplyPatch libata-sas-only-set-frozen-flag-if-new-eh-is-supported.patch
ApplyPatch hda_intel-prealloc-4mb-dmabuffer.patch
# Networking
+ApplyPatch bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
+# CVE-2011-2497
+ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
# Misc fixes
# The input layer spews crap no-one cares about.
@@ -1448,7 +1451,6 @@ ApplyPatch bonding-incorrect-tx-queue-offset.patch
ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
-ApplyPatch bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
# rhbz#709122
ApplyPatch ath5k-disable-fast-channel-switching-by-default.patch
@@ -2070,6 +2072,7 @@ fi
* Wed Jul 06 2011 Chuck Ebbert <cebbert at redhat.com>
- Revert SCSI/block patches from 2.6.38.6 that caused more problems
than they fixed; drop band-aid patch attempting to fix the fix.
+- CVE-2011-2497: kernel: bluetooth: buffer overflow in l2cap config request
* Mon Jun 27 2011 Dave Jones <davej at redhat.com>
- Disable CONFIG_CRYPTO_MANAGER_DISABLE_TESTS, as this also disables FIPS (rhbz 716942)
More information about the scm-commits
mailing list