r4084 - in branches/dist/sid/kernel/linux-2.6/debian: . patches-debian patches-debian/series

Simon Horman horms at costa.debian.org
Wed Aug 31 09:14:49 UTC 2005 

Author: horms
Date: 2005-08-31 09:14:49 +0000 (Wed, 31 Aug 2005)
New Revision: 4084

Added:
   branches/dist/sid/kernel/linux-2.6/debian/patches-debian/2.6.12.6.patch
Modified:
   branches/dist/sid/kernel/linux-2.6/debian/changelog
   branches/dist/sid/kernel/linux-2.6/debian/patches-debian/series/2.6.12-6
Log:
  * Added 2.6.12.6 
    - [Security] Restrict socket policy loading to CAP_NET_ADMIN.
      See CAN-2005-2555.
    - [Maybe-Security: Can remote traffic trigger this]
      Fix DST leak in icmp_push_reply()
    - [Maybe-Security: Seems like a local DoS]
      NPTL signal delivery deadlock fix
    - fix gl_skb/skb type error in genelink driver in usbnet
    - [Maybe-Security: Seems like a local DoS]
      fix a memory leak in devices seq_file implementation
    - [Maybe-Security: Seems like a local DoS]
      Fix SKB leak in ip6_input_finish()


Modified: branches/dist/sid/kernel/linux-2.6/debian/changelog
===================================================================
--- branches/dist/sid/kernel/linux-2.6/debian/changelog	2005-08-31 09:06:33 UTC (rev 4083)
+++ branches/dist/sid/kernel/linux-2.6/debian/changelog	2005-08-31 09:14:49 UTC (rev 4084)
@@ -19,12 +19,25 @@
     [Security] Restrict socket policy loading to CAP_NET_ADMIN.
     See CAN-2005-2555.
 
-  * zlib deflateBound() patch added as part of the 2.6.12.5 patch in 
+  * zlib deflateBound() patch added as part of the 2.6.12.5 patch in
     2.6.12-3 now has a CAN number.
     See CAN-2005-2457
 
- -- Simon Horman <horms at debian.org>  Tue, 30 Aug 2005 17:21:24 +0900
+  * Added 2.6.12.6
+    - [Security] Restrict socket policy loading to CAP_NET_ADMIN.
+      See CAN-2005-2555.
+    - [Maybe-Security: Can remote traffic trigger this]
+      Fix DST leak in icmp_push_reply()
+    - [Maybe-Security: Seems like a local DoS]
+      NPTL signal delivery deadlock fix
+    - fix gl_skb/skb type error in genelink driver in usbnet
+    - [Maybe-Security: Seems like a local DoS]
+      fix a memory leak in devices seq_file implementation
+    - [Maybe-Security: Seems like a local DoS]
+      Fix SKB leak in ip6_input_finish()
 
+ -- Simon Horman <horms at debian.org>  Wed, 31 Aug 2005 18:13:58 +0900
+
 linux-2.6 (2.6.12-5) unstable; urgency=low
 
   * Change ARM to use GCC 3.3 to avoid FTBFS errors with GCC 4

Added: branches/dist/sid/kernel/linux-2.6/debian/patches-debian/2.6.12.6.patch
===================================================================
--- branches/dist/sid/kernel/linux-2.6/debian/patches-debian/2.6.12.6.patch	2005-08-31 09:06:33 UTC (rev 4083)
+++ branches/dist/sid/kernel/linux-2.6/debian/patches-debian/2.6.12.6.patch	2005-08-31 09:14:49 UTC (rev 4084)
@@ -0,0 +1,152 @@
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2969,23 +2969,22 @@ static void * dev_seq_start(struct seq_f
+ {
+ 	struct sg_proc_deviter * it = kmalloc(sizeof(*it), GFP_KERNEL);
+ 
++	s->private = it;
+ 	if (! it)
+ 		return NULL;
++
+ 	if (NULL == sg_dev_arr)
+-		goto err1;
++		return NULL;
+ 	it->index = *pos;
+ 	it->max = sg_last_dev();
+ 	if (it->index >= it->max)
+-		goto err1;
++		return NULL;
+ 	return it;
+-err1:
+-	kfree(it);
+-	return NULL;
+ }
+ 
+ static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos)
+ {
+-	struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
++	struct sg_proc_deviter * it = s->private;
+ 
+ 	*pos = ++it->index;
+ 	return (it->index < it->max) ? it : NULL;
+@@ -2993,7 +2992,9 @@ static void * dev_seq_next(struct seq_fi
+ 
+ static void dev_seq_stop(struct seq_file *s, void *v)
+ {
+-	kfree (v);
++	struct sg_proc_deviter * it = s->private;
++
++	kfree (it);
+ }
+ 
+ static int sg_proc_open_dev(struct inode *inode, struct file *file)
+diff --git a/drivers/usb/net/usbnet.c b/drivers/usb/net/usbnet.c
+--- a/drivers/usb/net/usbnet.c
++++ b/drivers/usb/net/usbnet.c
+@@ -1922,7 +1922,7 @@ static int genelink_rx_fixup (struct usb
+ 
+ 			// copy the packet data to the new skb
+ 			memcpy(skb_put(gl_skb, size), packet->packet_data, size);
+-			skb_return (dev, skb);
++			skb_return (dev, gl_skb);
+ 		}
+ 
+ 		// advance to the next packet
+diff --git a/kernel/signal.c b/kernel/signal.c
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -686,7 +686,7 @@ static void handle_stop_signal(int sig, 
+ {
+ 	struct task_struct *t;
+ 
+-	if (p->flags & SIGNAL_GROUP_EXIT)
++	if (p->signal->flags & SIGNAL_GROUP_EXIT)
+ 		/*
+ 		 * The process is in the middle of dying already.
+ 		 */
+diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
+--- a/lib/zlib_inflate/inftrees.c
++++ b/lib/zlib_inflate/inftrees.c
+@@ -141,7 +141,7 @@ static int huft_build(
+   {
+     *t = NULL;
+     *m = 0;
+-    return Z_DATA_ERROR;
++    return Z_OK;
+   }
+ 
+ 
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -349,12 +349,12 @@ static void icmp_push_reply(struct icmp_
+ {
+ 	struct sk_buff *skb;
+ 
+-	ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
+-		       icmp_param->data_len+icmp_param->head_len,
+-		       icmp_param->head_len,
+-		       ipc, rt, MSG_DONTWAIT);
+-
+-	if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
++	if (ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
++		           icmp_param->data_len+icmp_param->head_len,
++		           icmp_param->head_len,
++		           ipc, rt, MSG_DONTWAIT) < 0)
++		ip_flush_pending_frames(icmp_socket->sk);
++	else if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
+ 		struct icmphdr *icmph = skb->h.icmph;
+ 		unsigned int csum = 0;
+ 		struct sk_buff *skb1;
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -848,6 +848,9 @@ mc_msf_out:
+  
+ 		case IP_IPSEC_POLICY:
+ 		case IP_XFRM_POLICY:
++			err = -EPERM;
++			if (!capable(CAP_NET_ADMIN))
++				break;
+ 			err = xfrm_user_policy(sk, optname, optval, optlen);
+ 			break;
+ 
+diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -198,12 +198,13 @@ resubmit:
+ 		if (!raw_sk) {
+ 			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+ 				IP6_INC_STATS_BH(IPSTATS_MIB_INUNKNOWNPROTOS);
+-				icmpv6_param_prob(skb, ICMPV6_UNK_NEXTHDR, nhoff);
++				icmpv6_send(skb, ICMPV6_PARAMPROB,
++				            ICMPV6_UNK_NEXTHDR, nhoff,
++				            skb->dev);
+ 			}
+-		} else {
++		} else
+ 			IP6_INC_STATS_BH(IPSTATS_MIB_INDELIVERS);
+-			kfree_skb(skb);
+-		}
++		kfree_skb(skb);
+ 	}
+ 	rcu_read_unlock();
+ 	return 0;
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -503,6 +503,9 @@ done:
+ 		break;
+ 	case IPV6_IPSEC_POLICY:
+ 	case IPV6_XFRM_POLICY:
++		retv = -EPERM;
++		if (!capable(CAP_NET_ADMIN))
++			break;
+ 		retv = xfrm_user_policy(sk, optname, optval, optlen);
+ 		break;
+ 
+-
+To unsubscribe from this list: send the line "unsubscribe linux-kernel-announce" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html

Modified: branches/dist/sid/kernel/linux-2.6/debian/patches-debian/series/2.6.12-6
===================================================================
--- branches/dist/sid/kernel/linux-2.6/debian/patches-debian/series/2.6.12-6	2005-08-31 09:06:33 UTC (rev 4083)
+++ branches/dist/sid/kernel/linux-2.6/debian/patches-debian/series/2.6.12-6	2005-08-31 09:14:49 UTC (rev 4084)
@@ -1 +1 @@
-+ net-sockglue-cap.patch
++ 2.6.12.6.patch

More information about the Kernel-svn-changes mailing list