From b9204c294cb0512e7ec4c1480276126d8a40d6c3 Mon Sep 17 00:00:00 2001 From: Chuck Ebbert Date: Sep 02 2010 15:44:20 +0000 Subject: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954) --- diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch new file mode 100644 index 0000000..a36f8af --- /dev/null +++ b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch @@ -0,0 +1,35 @@ +From: David S. Miller +Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700) +Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure. +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257 + +irda: Correctly clean up self->ias_obj on irda_bind() failure. + +If irda_open_tsap() fails, the irda_bind() code tries to destroy +the ->ias_obj object by hand, but does so wrongly. + +In particular, it fails to a) release the hashbin attached to the +object and b) reset the self->ias_obj pointer to NULL. + +Fix both problems by using irias_delete_object() and explicitly +setting self->ias_obj to NULL, just as irda_release() does. + +Reported-by: Tavis Ormandy +Signed-off-by: David S. Miller +--- + +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index 79986a6..fd55b51 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + + err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name); + if (err < 0) { +- kfree(self->ias_obj->name); +- kfree(self->ias_obj); ++ irias_delete_object(self->ias_obj); ++ self->ias_obj = NULL; + return err; + } + diff --git a/kernel.spec b/kernel.spec index e065086..6f31900 100644 --- a/kernel.spec +++ b/kernel.spec @@ -47,7 +47,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 166 +%global baserelease 167 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -838,6 +838,8 @@ Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch +Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch + # ============================================================================== %endif @@ -1545,6 +1547,9 @@ ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch +# CVE-2010-2954 +ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch + # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2197,6 +2202,9 @@ fi %kernel_variant_files -k vmlinux %{with_kdump} kdump %changelog +* Thu Sep 02 2010 Chuck Ebbert 2.6.32.21-167 +- irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954) + * Fri Aug 27 2010 Chuck Ebbert 2.6.32.21-166 - Linux 2.6.32.21