r2002 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Dann Frazier
dannf@haydn.debian.org
Wed, 15 Dec 2004 22:34:40 -0700
Author: dannf
Date: 2004-12-15 22:34:11 -0700 (Wed, 15 Dec 2004)
New Revision: 2002
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/116-cmsg-validation-checks.patch
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/117-igmp-source-filter-fixes.patch
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7
Log:
* 116-cmsg-validation-checks.patch: Patch from Herbert Xu fixing CMSG
validation wrt signedness (CAN-2004-1016) (dann frazier)
* 117-igmp-source-filter-fixes.patch: IGMP source filter fixes
(CAN-2004-1137) (dann frazier)
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2004-12-15 22:06:41 UTC (rev 2001)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2004-12-16 05:34:11 UTC (rev 2002)
@@ -5,8 +5,12 @@
* Security: Fix a potential oops using a malformed a.out binary
(CAN-2004-1074) (dann frazier)
* 115_tty_lockup-3.diff: Fix an unterminated comment (dann frazier)
+ * 116-cmsg-validation-checks.patch: Patch from Herbert Xu fixing CMSG
+ validation wrt signedness (CAN-2004-1016) (dann frazier)
+ * 117-igmp-source-filter-fixes.patch: IGMP source filter fixes
+ (CAN-2004-1137) (dann frazier)
- -- dann frazier <dannf@debian.org> Tue, 14 Dec 2004 19:48:29 -0700
+ -- dann frazier <dannf@debian.org> Wed, 15 Dec 2004 22:23:12 -0700
kernel-source-2.4.27 (2.4.27-6) unstable; urgency=low
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/116-cmsg-validation-checks.patch
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/116-cmsg-validation-checks.patch 2004-12-15 22:06:41 UTC (rev 2001)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/116-cmsg-validation-checks.patch 2004-12-16 05:34:11 UTC (rev 2002)
@@ -0,0 +1,112 @@
+# origin: herbert@gondor.apana.org.au
+# cset: 1.1516.6.2
+# inclusion: backport
+# revision date: 2004-12-14
+# description: Fix CMSG validation checks wrt. signedness.
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 13:13:56-08:00 herbert@gondor.apana.org.au
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# Noticed by Georgi Guninski.
+#
+# Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/socket.h
+# 2004/12/08 13:13:07-08:00 herbert@gondor.apana.org.au +4 -0
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/core/scm.c
+# 2004/12/08 13:13:07-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv4/ip_sockglue.c
+# 2004/12/08 13:13:07-08:00 herbert@gondor.apana.org.au +1 -4
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/ipv6/datagram.c
+# 2004/12/08 13:13:07-08:00 herbert@gondor.apana.org.au +1 -3
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+# net/sctp/socket.c
+# 2004/12/08 13:13:08-08:00 herbert@gondor.apana.org.au +1 -5
+# [NET]: Fix CMSG validation checks wrt. signedness.
+#
+diff -Nru a/include/linux/socket.h b/include/linux/socket.h
+--- a/include/linux/socket.h 2004-12-15 19:38:09 -08:00
++++ b/include/linux/socket.h 2004-12-15 19:38:09 -08:00
+@@ -87,6 +87,10 @@
+ (struct cmsghdr *)(ctl) : \
+ (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++ (cmsg)->cmsg_len <= (unsigned long) \
++ ((mhdr)->msg_controllen - \
++ ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+
+ /*
+ * This mess will go away with glibc
+diff -Nru a/net/core/scm.c b/net/core/scm.c
+--- a/net/core/scm.c 2004-12-15 19:38:09 -08:00
++++ b/net/core/scm.c 2004-12-15 19:38:09 -08:00
+@@ -124,9 +124,7 @@
+ for too short ancillary data object at all! Oops.
+ OK, let's add it...
+ */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen)
++ if (!CMSG_OK(msg, cmsg))
+ goto error;
+
+ if (cmsg->cmsg_level != SOL_SOCKET)
+diff -Nru a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+--- a/net/ipv4/ip_sockglue.c 2004-12-15 19:38:09 -08:00
++++ b/net/ipv4/ip_sockglue.c 2004-12-15 19:38:09 -08:00
+@@ -143,11 +143,8 @@
+ struct cmsghdr *cmsg;
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+ if (cmsg->cmsg_level != SOL_IP)
+ continue;
+ switch (cmsg->cmsg_type) {
+diff -Nru a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+--- a/net/ipv6/datagram.c 2004-12-15 19:38:09 -08:00
++++ b/net/ipv6/datagram.c 2004-12-15 19:38:09 -08:00
+@@ -260,9 +260,7 @@
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg)) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+diff -Nru a/net/sctp/socket.c b/net/sctp/socket.c
+--- a/net/sctp/socket.c 2004-12-15 19:38:09 -08:00
++++ b/net/sctp/socket.c 2004-12-15 19:38:09 -08:00
+@@ -4090,12 +4090,8 @@
+ for (cmsg = CMSG_FIRSTHDR(msg);
+ cmsg != NULL;
+ cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+- /* Check for minimum length. The SCM code has this check. */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+
+ /* Should we parse this header or ignore? */
+ if (cmsg->cmsg_level != IPPROTO_SCTP)
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/117-igmp-source-filter-fixes.patch
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/117-igmp-source-filter-fixes.patch 2004-12-15 22:06:41 UTC (rev 2001)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/117-igmp-source-filter-fixes.patch 2004-12-16 05:34:11 UTC (rev 2002)
@@ -0,0 +1,93 @@
+# origin: chrisw@osdl.org
+# cset: 1.1521.2.4
+# inclusion: backport
+# revision date: 2004-12-14
+# description: IGMP source filter fixes
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/14 11:11:21-08:00 chrisw@osdl.org
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/igmp.c
+# 2004/12/14 11:10:57-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# net/ipv6/mcast.c
+# 2004/12/14 11:10:57-08:00 chrisw@osdl.org +5 -5
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c 2004-12-15 19:22:13 -08:00
++++ b/net/ipv4/igmp.c 2004-12-15 19:22:13 -08:00
+@@ -1757,12 +1757,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -1804,9 +1804,9 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c 2004-12-15 19:22:13 -08:00
++++ b/net/ipv6/mcast.c 2004-12-15 19:22:13 -08:00
+@@ -386,12 +386,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group,
++ rv = memcmp(&psl->sl_addr[i], source,
+ sizeof(struct in6_addr));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -432,8 +432,8 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+- if (rv >= 0)
++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7 2004-12-15 22:06:41 UTC (rev 2001)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-7 2004-12-16 05:34:11 UTC (rev 2002)
@@ -1,3 +1,5 @@
+ 113-unix-serialization.diff
+ 114-binfmt_aout-CAN-2004-1074.diff
+ 115_tty_lockup-3.diff
++ 116-cmsg-validation-checks.patch
++ 117-igmp-source-filter-fixes.patch