Commit 65e034df authored by Dann Frazier's avatar Dann Frazier

* bugfix/usblcd-limit-memory-consumption.patch

  [SECURITY] limit memory consumption during write in the usblcd driver
  See CVE-2007-3513

svn path=/dists/etch-security/linux-2.6/; revision=9059
parent ca2a0322
......@@ -6,8 +6,11 @@ linux-2.6 (2.6.18.dfsg.1-12etch3) stable-security; urgency=high
* bugfix/fat-move-ioctl-compat-code.patch, bugfix/fat-fix-compat-ioctls.patch
[SECURITY] Fix kernel_dirent corruption in the compat layer for fat ioctls
See CVE-2007-2878
* bugfix/usblcd-limit-memory-consumption.patch
[SECURITY] limit memory consumption during write in the usblcd driver
See CVE-2007-3513
-- dann frazier <dannf@debian.org> Sat, 23 Jun 2007 18:38:19 +0100
-- dann frazier <dannf@debian.org> Wed, 04 Jul 2007 08:57:36 -0600
linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
......
From: Oliver Neukum <oneukum@suse.de>
Date: Mon, 11 Jun 2007 13:36:02 +0000 (+0200)
Subject: USB: usblcd doesn't limit memory consumption during write
X-Git-Tag: v2.6.22-rc7~49^2~3
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5afeb104e7901168b21aad0437fb51dc620dfdd3
USB: usblcd doesn't limit memory consumption during write
usblcd currently has no way to limit memory consumption by fast writers.
This is a security problem, as it allows users with write access to this
device to drive the system into oom despite resource limits.
Here's the fix taken from the modern skeleton driver.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
diff --git a/drivers/usb/misc/usblcd.c b/drivers/usb/misc/usblcd.c
index 887ef95..12bad8a 100644
--- a/drivers/usb/misc/usblcd.c
+++ b/drivers/usb/misc/usblcd.c
@@ -42,10 +42,14 @@ struct usb_lcd {
size_t bulk_in_size; /* the size of the receive buffer */
__u8 bulk_in_endpointAddr; /* the address of the bulk in endpoint */
__u8 bulk_out_endpointAddr; /* the address of the bulk out endpoint */
- struct kref kref;
+ struct kref kref;
+ struct semaphore limit_sem; /* to stop writes at full throttle from
+ * using up all RAM */
};
#define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+#define USB_LCD_CONCURRENT_WRITES 5
+
static struct usb_driver lcd_driver;
static DEFINE_MUTEX(usb_lcd_open_mutex);
@@ -186,12 +190,13 @@ static void lcd_write_bulk_callback(struct urb *urb)
/* free up our allocated buffer */
usb_buffer_free(urb->dev, urb->transfer_buffer_length,
urb->transfer_buffer, urb->transfer_dma);
+ up(&dev->limit_sem);
}
static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos)
{
struct usb_lcd *dev;
- int retval = 0;
+ int retval = 0, r;
struct urb *urb = NULL;
char *buf = NULL;
@@ -201,10 +206,16 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, siz
if (count == 0)
goto exit;
+ r = down_interruptible(&dev->limit_sem);
+ if (r < 0)
+ return -EINTR;
+
/* create a urb, and a buffer for it, and copy the data to the urb */
urb = usb_alloc_urb(0, GFP_KERNEL);
- if (!urb)
- return -ENOMEM;
+ if (!urb) {
+ retval = -ENOMEM;
+ goto err_no_buf;
+ }
buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma);
if (!buf) {
@@ -239,6 +250,8 @@ exit:
error:
usb_buffer_free(dev->udev, count, buf, urb->transfer_dma);
usb_free_urb(urb);
+err_no_buf:
+ up(&dev->limit_sem);
return retval;
}
@@ -277,6 +290,7 @@ static int lcd_probe(struct usb_interface *interface, const struct usb_device_id
goto error;
}
kref_init(&dev->kref);
+ sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
dev->udev = usb_get_dev(interface_to_usbdev(interface));
dev->interface = interface;
+ bugfix/bluetooth-l2cap-hci-info-leaks.patch
+ bugfix/fat-move-ioctl-compat-code.patch
+ bugfix/fat-fix-compat-ioctls.patch
+ bugfix/usblcd-limit-memory-consumption.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment