r2022 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@haydn.debian.org
Thu, 23 Dec 2004 00:38:17 -0700
Author: dilinger-guest
Date: 2004-12-23 00:37:52 -0700 (Thu, 23 Dec 2004)
New Revision: 2022
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fix-ip-options-leak.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/vt-of-death.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/fix-ip-options-leak.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/vt-of-death.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
Log:
* [SECURITY] Fix memory leak in ip_options_get allowing a DoS
attack. Thanks to Fabio M. Di Nitto (Andres Salomon).
* [SECURITY] Fix integer overflow in vc_resize. Thanks to
Fabio M. Di Nitto (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2004-12-23 07:37:52 UTC (rev 2022)
@@ -1,17 +1,18 @@
kernel-source-2.6.8 (2.6.8-11) UNRELEASED; urgency=high
* [SECURITY] serialize dgram read using semaphore just like stream;
- CAN-2004-1068 (Fabio M. Di Nitto).
+ CAN-2004-1068. Thanks to Fabio M. Di Nitto (Andres Salomon).
* [SECURITY] Fix insufficient locking checks in DRM code;
- CAN-2004-1056 (Fabio M. Di Nitto).
+ CAN-2004-1056. Thanks to Fabio M. Di Nitto (Andres Salomon).
* [SECURITY] Fix SELinux crashes with SOCK_SEQPACKET; see
http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761
- for reference; CAN-2004-1069 (Fabio M. Di Nitto).
+ for reference; CAN-2004-1069. Thanks to Fabio M. Di Nitto
+ (Andres Salomon).
- * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned
- (Fabio M. Di Nitto).
+ * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned.
+ Thanks to Fabio M. Di Nitto (Andres Salomon).
* Delay registration of HCDP described UARTs, fixing the PDH console
on HP rx1600s (dann frazier).
@@ -40,11 +41,17 @@
* [SECURITY] fix ip_conntrack_ftp leak;
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017677.html
- Thanks to Fabio M. Di Nitto for point this out (Andres Salomon).
+ Thanks to Fabio M. Di Nitto for pointing this out (Andres Salomon).
* Add some additional reiserfs locking and error handling fixes, in
hopes of lessening reports of reiser corruption (Andres Salomon).
+ * [SECURITY] Fix memory leak in ip_options_get allowing a DoS
+ attack. Thanks to Fabio M. Di Nitto (Andres Salomon).
+
+ * [SECURITY] Fix integer overflow in vc_resize. Thanks to
+ Fabio M. Di Nitto (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 00:13:41 -0700
kernel-source-2.6.8 (2.6.8-10) unstable; urgency=high
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fix-ip-options-leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fix-ip-options-leak.dpatch 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fix-ip-options-leak.dpatch 2004-12-23 07:37:52 UTC (rev 2022)
@@ -0,0 +1,40 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Do not leak IP options.
+## DP: Patch author: David S. Miller <davem@davemloft.net>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 12:39:15-08:00 davem@nuts.davemloft.net
+# [IPV4]: Do not leak IP options.
+#
+# If the user makes ip_cmsg_send call ip_options_get
+# multiple times, we leak kmalloced IP options data.
+#
+# Noticed by Georgi Guninski.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_options.c
+# 2004/12/08 12:38:09-08:00 davem@nuts.davemloft.net +2 -0
+# [IPV4]: Do not leak IP options.
+#
+diff -Nru a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
+--- a/net/ipv4/ip_options.c 2004-12-22 03:00:30 -08:00
++++ b/net/ipv4/ip_options.c 2004-12-22 03:00:30 -08:00
+@@ -515,6 +515,8 @@
+ kfree(opt);
+ return -EINVAL;
+ }
++ if (*optp)
++ kfree(*optp);
+ *optp = opt;
+ return 0;
+ }
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-11 2004-12-23 07:37:52 UTC (rev 2022)
@@ -13,3 +13,5 @@
+ ip-conntrack-ftp-leak.dpatch
+ reiserfs-sucks.patch
+ reiserfs-sucks-2.patch
++ fix-ip-options-leak.dpatch
++ vt-of-death.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/vt-of-death.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/vt-of-death.dpatch 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/vt-of-death.dpatch 2004-12-23 07:37:52 UTC (rev 2022)
@@ -0,0 +1,45 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Make sure VC resizing fits in s16.
+## DP: Patch author: Linus Torvalds
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/10 09:52:42-08:00 torvalds@ppc970.osdl.org
+# Make sure VC resizing fits in s16.
+#
+# Noted by Georgi Guninski
+#
+# drivers/char/vt.c
+# 2004/12/10 09:52:35-08:00 torvalds@ppc970.osdl.org +5 -0
+# Make sure VC resizing fits in s16.
+#
+diff -Nru a/drivers/char/vt.c b/drivers/char/vt.c
+--- a/drivers/char/vt.c 2004-12-22 03:00:00 -08:00
++++ b/drivers/char/vt.c 2004-12-22 03:00:00 -08:00
+@@ -768,6 +768,8 @@
+ * [this is to be used together with some user program
+ * like resize that changes the hardware videomode]
+ */
++#define VC_RESIZE_MAXCOL (32767)
++#define VC_RESIZE_MAXROW (32767)
+ int vc_resize(int currcons, unsigned int cols, unsigned int lines)
+ {
+ unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;
+@@ -779,6 +781,9 @@
+
+ if (!vc_cons_allocated(currcons))
+ return -ENXIO;
++
++ if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
++ return -EINVAL;
+
+ new_cols = (cols ? cols : video_num_columns);
+ new_rows = (lines ? lines : video_num_lines);
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2004-12-23 07:37:52 UTC (rev 2022)
@@ -6,17 +6,18 @@
* Yank fixed debian/apply from kernel-source-2.6.8. (Joshua Kwan)
* [SECURITY] serialize dgram read using semaphore just like stream;
- CAN-2004-1068 (Fabio M. Di Nitto).
+ CAN-2004-1068. Thanks to Fabio M. Di Nitto (Andres Salomon).
* [SECURITY] Fix insufficient locking checks in DRM code;
- CAN-2004-1056 (Fabio M. Di Nitto).
+ CAN-2004-1056. Thanks to Fabio M. Di Nitto (Andres Salomon).
* [SECURITY] Fix SELinux crashes with SOCK_SEQPACKET; see
http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761
- for reference; CAN-2004-1069 (Fabio M. Di Nitto).
+ for reference; CAN-2004-1069. Thanks to Fabio M. Di Nitto
+ (Andres Salomon).
- * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned
- (Fabio M. Di Nitto).
+ * [SECURITY] Fix problems in VM_IO refcount; CAN not yet assigned.
+ Thanks to Fabio M. Di Nitto (Andres Salomon).
* Delay registration of HCDP described UARTs, fixing the PDH console
on HP rx1600s (merged patch from k-s 2.6.8) (dann frazier).
@@ -45,11 +46,17 @@
* [SECURITY] fix ip_conntrack_ftp leak;
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017677.html
- Thanks to Fabio M. Di Nitto for this (Andres Salomon).
+ Thanks to Fabio M. Di Nitto for pointing this out (Andres Salomon).
* Add some additional reiserfs locking and error handling fixes, in
hopes of lessening reports of reiser corruption (Andres Salomon).
+ * [SECURITY] Fix memory leak in ip_options_get allowing a DoS
+ attack. Thanks to Fabio M. Di Nitto (Andres Salomon).
+
+ * [SECURITY] Fix integer overflow in vc_resize. Thanks to
+ Fabio M. Di Nitto (Andres Salomon).
+
-- dann frazier <dannf@debian.org> Fri, 03 Dec 2004 09:26:52 -0700
kernel-source-2.6.9 (2.6.9-3) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/fix-ip-options-leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/fix-ip-options-leak.dpatch 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/fix-ip-options-leak.dpatch 2004-12-23 07:37:52 UTC (rev 2022)
@@ -0,0 +1,40 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Do not leak IP options.
+## DP: Patch author: David S. Miller <davem@davemloft.net>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 12:39:15-08:00 davem@nuts.davemloft.net
+# [IPV4]: Do not leak IP options.
+#
+# If the user makes ip_cmsg_send call ip_options_get
+# multiple times, we leak kmalloced IP options data.
+#
+# Noticed by Georgi Guninski.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_options.c
+# 2004/12/08 12:38:09-08:00 davem@nuts.davemloft.net +2 -0
+# [IPV4]: Do not leak IP options.
+#
+diff -Nru a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
+--- a/net/ipv4/ip_options.c 2004-12-22 03:00:30 -08:00
++++ b/net/ipv4/ip_options.c 2004-12-22 03:00:30 -08:00
+@@ -515,6 +515,8 @@
+ kfree(opt);
+ return -EINVAL;
+ }
++ if (*optp)
++ kfree(*optp);
+ *optp = opt;
+ return 0;
+ }
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-4 2004-12-23 07:37:52 UTC (rev 2022)
@@ -15,3 +15,5 @@
+ ip-conntrack-ftp-leak.dpatch
+ reiserfs-sucks.patch
+ reiserfs-sucks-2.patch
++ fix-ip-options-leak.dpatch
++ vt-of-death.dpatch
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/vt-of-death.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/vt-of-death.dpatch 2004-12-23 07:10:30 UTC (rev 2021)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/vt-of-death.dpatch 2004-12-23 07:37:52 UTC (rev 2022)
@@ -0,0 +1,45 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Make sure VC resizing fits in s16.
+## DP: Patch author: Linus Torvalds
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/10 09:52:42-08:00 torvalds@ppc970.osdl.org
+# Make sure VC resizing fits in s16.
+#
+# Noted by Georgi Guninski
+#
+# drivers/char/vt.c
+# 2004/12/10 09:52:35-08:00 torvalds@ppc970.osdl.org +5 -0
+# Make sure VC resizing fits in s16.
+#
+diff -Nru a/drivers/char/vt.c b/drivers/char/vt.c
+--- a/drivers/char/vt.c 2004-12-22 03:00:00 -08:00
++++ b/drivers/char/vt.c 2004-12-22 03:00:00 -08:00
+@@ -768,6 +768,8 @@
+ * [this is to be used together with some user program
+ * like resize that changes the hardware videomode]
+ */
++#define VC_RESIZE_MAXCOL (32767)
++#define VC_RESIZE_MAXROW (32767)
+ int vc_resize(int currcons, unsigned int cols, unsigned int lines)
+ {
+ unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;
+@@ -779,6 +781,9 @@
+
+ if (!vc_cons_allocated(currcons))
+ return -ENXIO;
++
++ if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
++ return -EINVAL;
+
+ new_cols = (cols ? cols : video_num_columns);
+ new_rows = (lines ? lines : video_num_lines);