Commit b6a91b9c authored by Dann Frazier's avatar Dann Frazier

* bugfix/proc-snd-page-alloc-mem-leak.patch

  [SECURITY] Fix an issue in the alsa subsystem that allows a local user
  to read potentially sensitive kernel memory from the proc filesystem
  See CVE-2007-4571

svn path=/dists/etch-security/linux-2.6/; revision=9547
parent 5a4347e6
......@@ -19,8 +19,12 @@ linux-2.6 (2.6.18.dfsg.1-13etch3) UNRELEASED; urgency=low
* bugfix/jffs2-ACL-vs-mode-handling.patch
[SECURITY] Write correct legacy modes to the medium on inode creation to
prevent incorrect permissions upon remount.
* bugfix/proc-snd-page-alloc-mem-leak.patch
[SECURITY] Fix an issue in the alsa subsystem that allows a local user
to read potentially sensitive kernel memory from the proc filesystem
See CVE-2007-4571
-- dann frazier <dannf@debian.org> Tue, 25 Sep 2007 00:19:49 -0600
-- dann frazier <dannf@debian.org> Tue, 25 Sep 2007 18:35:25 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
......
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 17 Sep 2007 19:55:10 +0000 (+0200)
Subject: Convert snd-page-alloc proc file to use seq_file
X-Git-Tag: v2.6.23-rc8~3
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ccec6e2c4a74adf76ed4e2478091a311b1806212;hp=7bae705ef2c2daac1993de03e5be93b5c300fc5e
Convert snd-page-alloc proc file to use seq_file
Use seq_file for the proc file read/write of snd-page-alloc module.
This automatically fixes bugs in the old proc code.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/sound/core/memalloc.c linux-source-2.6.18/sound/core/memalloc.c
--- linux-source-2.6.18.orig/sound/core/memalloc.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/sound/core/memalloc.c 2007-09-25 17:53:01.000000000 -0600
@@ -27,6 +27,7 @@
#include <linux/pci.h>
#include <linux/slab.h>
#include <linux/mm.h>
+#include <linux/seq_file.h>
#include <asm/uaccess.h>
#include <linux/dma-mapping.h>
#include <linux/moduleparam.h>
@@ -483,10 +484,8 @@ static void free_all_reserved_pages(void
#define SND_MEM_PROC_FILE "driver/snd-page-alloc"
static struct proc_dir_entry *snd_mem_proc;
-static int snd_mem_proc_read(char *page, char **start, off_t off,
- int count, int *eof, void *data)
+static int snd_mem_proc_read(struct seq_file *seq, void *offset)
{
- int len = 0;
long pages = snd_allocated_pages >> (PAGE_SHIFT-12);
struct list_head *p;
struct snd_mem_list *mem;
@@ -494,44 +493,47 @@ static int snd_mem_proc_read(char *page,
static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" };
mutex_lock(&list_mutex);
- len += snprintf(page + len, count - len,
- "pages : %li bytes (%li pages per %likB)\n",
- pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
+ seq_printf(seq, "pages : %li bytes (%li pages per %likB)\n",
+ pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
devno = 0;
list_for_each(p, &mem_list_head) {
mem = list_entry(p, struct snd_mem_list, list);
devno++;
- len += snprintf(page + len, count - len,
- "buffer %d : ID %08x : type %s\n",
- devno, mem->id, types[mem->buffer.dev.type]);
- len += snprintf(page + len, count - len,
- " addr = 0x%lx, size = %d bytes\n",
- (unsigned long)mem->buffer.addr, (int)mem->buffer.bytes);
+ seq_printf(seq, "buffer %d : ID %08x : type %s\n",
+ devno, mem->id, types[mem->buffer.dev.type]);
+ seq_printf(seq, " addr = 0x%lx, size = %d bytes\n",
+ (unsigned long)mem->buffer.addr,
+ (int)mem->buffer.bytes);
}
mutex_unlock(&list_mutex);
- return len;
+ return 0;
+}
+
+static int snd_mem_proc_open(struct inode *inode, struct file *file)
+{
+ return single_open(file, snd_mem_proc_read, NULL);
}
/* FIXME: for pci only - other bus? */
#ifdef CONFIG_PCI
#define gettoken(bufp) strsep(bufp, " \t\n")
-static int snd_mem_proc_write(struct file *file, const char __user *buffer,
- unsigned long count, void *data)
+static ssize_t snd_mem_proc_write(struct file *file, const char __user * buffer,
+ size_t count, loff_t * ppos)
{
char buf[128];
char *token, *p;
- if (count > ARRAY_SIZE(buf) - 1)
- count = ARRAY_SIZE(buf) - 1;
+ if (count > sizeof(buf) - 1)
+ return -EINVAL;
if (copy_from_user(buf, buffer, count))
return -EFAULT;
- buf[ARRAY_SIZE(buf) - 1] = '\0';
+ buf[count] = '\0';
p = buf;
token = gettoken(&p);
if (! token || *token == '#')
- return (int)count;
+ return count;
if (strcmp(token, "add") == 0) {
char *endp;
int vendor, device, size, buffers;
@@ -552,7 +554,7 @@ static int snd_mem_proc_write(struct fil
(buffers = simple_strtol(token, NULL, 0)) <= 0 ||
buffers > 4) {
printk(KERN_ERR "snd-page-alloc: invalid proc write format\n");
- return (int)count;
+ return count;
}
vendor &= 0xffff;
device &= 0xffff;
@@ -564,7 +566,7 @@ static int snd_mem_proc_write(struct fil
if (pci_set_dma_mask(pci, mask) < 0 ||
pci_set_consistent_dma_mask(pci, mask) < 0) {
printk(KERN_ERR "snd-page-alloc: cannot set DMA mask %lx for pci %04x:%04x\n", mask, vendor, device);
- return (int)count;
+ return count;
}
}
for (i = 0; i < buffers; i++) {
@@ -574,7 +576,7 @@ static int snd_mem_proc_write(struct fil
size, &dmab) < 0) {
printk(KERN_ERR "snd-page-alloc: cannot allocate buffer pages (size = %d)\n", size);
pci_dev_put(pci);
- return (int)count;
+ return count;
}
snd_dma_reserve_buf(&dmab, snd_dma_pci_buf_id(pci));
}
@@ -600,9 +602,21 @@ static int snd_mem_proc_write(struct fil
free_all_reserved_pages();
else
printk(KERN_ERR "snd-page-alloc: invalid proc cmd\n");
- return (int)count;
+ return count;
}
#endif /* CONFIG_PCI */
+
+static const struct file_operations snd_mem_proc_fops = {
+ .owner = THIS_MODULE,
+ .open = snd_mem_proc_open,
+ .read = seq_read,
+#ifdef CONFIG_PCI
+ .write = snd_mem_proc_write,
+#endif
+ .llseek = seq_lseek,
+ .release = single_release,
+};
+
#endif /* CONFIG_PROC_FS */
/*
@@ -613,12 +627,8 @@ static int __init snd_mem_init(void)
{
#ifdef CONFIG_PROC_FS
snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL);
- if (snd_mem_proc) {
- snd_mem_proc->read_proc = snd_mem_proc_read;
-#ifdef CONFIG_PCI
- snd_mem_proc->write_proc = snd_mem_proc_write;
-#endif
- }
+ if (snd_mem_proc)
+ snd_mem_proc->proc_fops = &snd_mem_proc_fops;
#endif
return 0;
}
......@@ -4,3 +4,4 @@
+ bugfix/cifs-honor-umask.patch
+ bugfix/amd64-zero-extend-32bit-ptrace.patch
+ bugfix/jffs2-ACL-vs-mode-handling.patch
+ bugfix/proc-snd-page-alloc-mem-leak.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment