reassign 583731 linux-2.6 2.6.26-22lenny1
retitle 583731 broken usbfs support after CVE-2010-1083
thanks
On Sun, May 30, 2010 at 06:30:59PM +1000, David Brodrick wrote:
> Package: libusb
> Version: 2:0.1.12-1
>
> I have encountered problems with a program that uses libusb-0.1-4 ever since
> installing the lenny1 security update of linux-image-2.6.26-2-686.
>
> Perhaps it is a regression in the kernel related to CVE-2010-1083??
>
> I am not sure whether the bug report should belong to the kernel or libusb,
> or maybe its a fault in the program I use (although it worked well before the
> kernel upgrade).
>
This is most probably a kernel issue, the patch proposed in this CVE is
known to be buggy. The following patch, which is part of the 2.6.32.11
stable version should be applied on top on the previous one to fix the
issue.
I am therefore reassigning the bug to the kernel package.
commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec
Author: Alan Stern <st...@rowland.harvard.edu>
Date: Sat Mar 6 15:04:03 2010 -0500
USB: fix usbfs regression
This patch (as1352) fixes a bug in the way isochronous input data is
returned to userspace for usbfs transfers. The entire buffer must be
copied, not just the first actual_length bytes, because the individual
packets will be discontiguous if any of them are short.
Reported-by: Markus Rechberger <mrechber...@gmail.com>
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
CC: stable <sta...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index e909ff7..3466fdc 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1207,6 +1207,13 @@ static int proc_do_submiturb(struct dev_state *ps,
struct usbdevfs_urb *uurb,
free_async(as);
return -ENOMEM;
}
+ /* Isochronous input data may end up being discontiguous
+ * if some of the packets are short. Clear the buffer so
+ * that the gaps don't leak kernel data to userspace.
+ */
+ if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
+ memset(as->urb->transfer_buffer, 0,
+ uurb->buffer_length);
}
as->urb->dev = ps->dev;
as->urb->pipe = (uurb->type << 30) |
@@ -1345,10 +1352,14 @@ static int processcompl(struct async *as, void __user *
__user *arg)
void __user *addr = as->userurb;
unsigned int i;
- if (as->userbuffer && urb->actual_length)
- if (copy_to_user(as->userbuffer, urb->transfer_buffer,
- urb->actual_length))
+ if (as->userbuffer && urb->actual_length) {
+ if (urb->number_of_packets > 0) /* Isochronous */
+ i = urb->transfer_buffer_length;
+ else /* Non-Isoc */
+ i = urb->actual_length;
+ if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
goto err_out;
+ }
if (put_user(as->status, &userurb->status))
goto err_out;
if (put_user(urb->actual_length, &userurb->actual_length))
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurel...@aurel32.net http://www.aurel32.net
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
