r4312 - in dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Simon Horman horms at costa.debian.org
Thu Oct 6 04:30:20 UTC 2005 

Author: horms
Date: 2005-10-06 04:30:19 +0000 (Thu, 06 Oct 2005)
New Revision: 4312

Added:
   dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-fragmentation-csum-handling.dpatch
   dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch
   dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sparc-request_irq-in-RTC-fix.dpatch
Modified:
   dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
* sparc-request_irq-in-RTC-fix.dpatch
  Use SA_SHIRQ in sparc specific code.
  From 2.6.13.1

* sendmsg-stackoverflow.dpatch
  [SECUURITY] 32bit sendmsg() flaw. See CAN-2005-2490
  From 2.6.13.1

* ipv4-fragmentation-csum-handling.dpatch
  Reassembly trim not clearing CHECKSUM_HW
  From 2.6.13.1


Modified: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-10-05 22:21:57 UTC (rev 4311)
+++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-10-06 04:30:19 UTC (rev 4312)
@@ -243,13 +243,26 @@
     causing an oops.
     (closes: #323557)
 
+  * sparc-request_irq-in-RTC-fix.dpatch
+    Use SA_SHIRQ in sparc specific code.
+    From 2.6.13.1
+
+  * sendmsg-stackoverflow.dpatch
+    [SECUURITY] 32bit sendmsg() flaw. See CAN-2005-2490
+    From 2.6.13.1
+
+  * ipv4-fragmentation-csum-handling.dpatch
+    Reassembly trim not clearing CHECKSUM_HW
+    From 2.6.13.1
+
   [ dann frazier ]
   * mempolicy-check-mode.dpatch
     [SECURITY] Input validation in sys_set_mempolicy(); local DoS.
     See CAN-2005-3053
 
- -- Simon Horman <horms at debian.org>  Wed,  5 Oct 2005 16:11:27 +0900
 
+ -- Simon Horman <horms at debian.org>  Thu,  6 Oct 2005 13:22:56 +0900
+
 kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
 
   * smbfs-overrun.dpatch:

Added: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-fragmentation-csum-handling.dpatch
===================================================================
--- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-fragmentation-csum-handling.dpatch	2005-10-05 22:21:57 UTC (rev 4311)
+++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-fragmentation-csum-handling.dpatch	2005-10-06 04:30:19 UTC (rev 4312)
@@ -0,0 +1,38 @@
+From stable-bounces at linux.kernel.org  Tue Sep  6 15:52:37 2005
+Date: Tue, 06 Sep 2005 15:52:34 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [IPV4]: Reassembly trim not clearing CHECKSUM_HW
+
+From: Stephen Hemminger <shemminger at osdl.org>
+
+[IPV4]: Reassembly trim not clearing CHECKSUM_HW
+
+This was found by inspection while looking for checksum problems
+with the skge driver that sets CHECKSUM_HW. It did not fix the
+problem, but it looks like it is needed.
+
+If IP reassembly is trimming an overlapping fragment, it
+should reset (or adjust) the hardware checksum flag on the skb.
+
+Signed-off-by: Stephen Hemminger <shemminger at osdl.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/ip_fragment.c |    2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.13.y/net/ipv4/ip_fragment.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/ip_fragment.c
++++ linux-2.6.13.y/net/ipv4/ip_fragment.c
+@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp
+ 
+ 	if (pskb_pull(skb, ihl) == NULL)
+ 		goto err;
+-	if (pskb_trim(skb, end-offset))
++	if (pskb_trim_rcsum(skb, end-offset))
+ 		goto err;
+ 
+ 	/* Find out which fragments are in front and at the back of us

Added: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch
===================================================================
--- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch	2005-10-05 22:21:57 UTC (rev 4311)
+++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sendmsg-stackoverflow.dpatch	2005-10-06 04:30:19 UTC (rev 4312)
@@ -0,0 +1,155 @@
+From security-bounces at linux.kernel.org  Tue Sep  6 01:31:17 2005
+From: David Woodhouse <dwmw2 at infradead.org>
+To: Sebastian Krahmer <krahmer at suse.de>
+Date: Tue, 06 Sep 2005 09:30:10 +0100
+Subject: [PATCH] 32bit sendmsg() flaw (CAN-2005-2490)
+Cc: viro at ZenIV.linux.org.uk, "David S. Miller" <davem at davemloft.net>, David Woodhouse <dwmw2 at infradead.org>
+
+When we copy 32bit ->msg_control contents to kernel, we walk the same
+userland data twice without sanity checks on the second pass.
+
+Second version of this patch: the original broke with 64-bit arches
+running 32-bit-compat-mode executables doing sendmsg() syscalls with
+unaligned CMSG data areas
+
+Another thing is that we use kmalloc() to allocate and sock_kfree_s()
+to free afterwards; less serious, but also needs fixing.
+
+Patch by Al Viro, David Miller, David Woodhouse
+(sparc64 clean compile fix from David Miller)
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: David Woodhouse <dwmw2 at infradead.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ include/net/compat.h |    5 +++--
+ net/compat.c         |   44 ++++++++++++++++++++++++++------------------
+ net/socket.c         |    3 ++-
+ 3 files changed, 31 insertions(+), 21 deletions(-)
+
+Index: linux-2.6.13.y/include/net/compat.h
+===================================================================
+--- linux-2.6.13.y.orig/include/net/compat.h
++++ linux-2.6.13.y/include/net/compat.h
+@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
+ extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
+ extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
+ extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
+-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *,
+-		int);
++
++struct sock;
++extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);
+ 
+ #endif /* NET_COMPAT_H */
+Index: linux-2.6.13.y/net/compat.c
+===================================================================
+--- linux-2.6.13.y.orig/net/compat.c
++++ linux-2.6.13.y/net/compat.c
+@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us
+  * thus placement) of cmsg headers and length are different for
+  * 32-bit apps.  -DaveM
+  */
+-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
++int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
+ 			       unsigned char *stackbuf, int stackbuf_size)
+ {
+ 	struct compat_cmsghdr __user *ucmsg;
+ 	struct cmsghdr *kcmsg, *kcmsg_base;
+ 	compat_size_t ucmlen;
+ 	__kernel_size_t kcmlen, tmp;
++	int err = -EFAULT;
+ 
+ 	kcmlen = 0;
+ 	kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
+@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str
+ 
+ 		tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ 		       CMSG_ALIGN(sizeof(struct cmsghdr)));
++		tmp = CMSG_ALIGN(tmp);
+ 		kcmlen += tmp;
+ 		ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ 	}
+@@ -167,30 +169,34 @@ int cmsghdr_from_user_compat_to_kern(str
+ 	 * until we have successfully copied over all of the data
+ 	 * from the user.
+ 	 */
+-	if(kcmlen > stackbuf_size)
+-		kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL);
+-	if(kcmsg == NULL)
++	if (kcmlen > stackbuf_size)
++		kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
++	if (kcmsg == NULL)
+ 		return -ENOBUFS;
+ 
+ 	/* Now copy them over neatly. */
+ 	memset(kcmsg, 0, kcmlen);
+ 	ucmsg = CMSG_COMPAT_FIRSTHDR(kmsg);
+ 	while(ucmsg != NULL) {
+-		__get_user(ucmlen, &ucmsg->cmsg_len);
++		if (__get_user(ucmlen, &ucmsg->cmsg_len))
++			goto Efault;
++		if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
++			goto Einval;
+ 		tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ 		       CMSG_ALIGN(sizeof(struct cmsghdr)));
++		if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
++			goto Einval;
+ 		kcmsg->cmsg_len = tmp;
+-		__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
+-		__get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
+-
+-		/* Copy over the data. */
+-		if(copy_from_user(CMSG_DATA(kcmsg),
+-				  CMSG_COMPAT_DATA(ucmsg),
+-				  (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
+-			goto out_free_efault;
++		tmp = CMSG_ALIGN(tmp);
++		if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
++		    __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
++		    copy_from_user(CMSG_DATA(kcmsg),
++				   CMSG_COMPAT_DATA(ucmsg),
++				   (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
++			goto Efault;
+ 
+ 		/* Advance. */
+-		kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
++		kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
+ 		ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ 	}
+ 
+@@ -199,10 +205,12 @@ int cmsghdr_from_user_compat_to_kern(str
+ 	kmsg->msg_controllen = kcmlen;
+ 	return 0;
+ 
+-out_free_efault:
+-	if(kcmsg_base != (struct cmsghdr *)stackbuf)
+-		kfree(kcmsg_base);
+-	return -EFAULT;
++Einval:
++	err = -EINVAL;
++Efault:
++	if (kcmsg_base != (struct cmsghdr *)stackbuf)
++		sock_kfree_s(sk, kcmsg_base, kcmlen);
++	return err;
+ }
+ 
+ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
+Index: linux-2.6.13.y/net/socket.c
+===================================================================
+--- linux-2.6.13.y.orig/net/socket.c
++++ linux-2.6.13.y/net/socket.c
+@@ -1739,10 +1739,11 @@ asmlinkage long sys_sendmsg(int fd, stru
+ 		goto out_freeiov;
+ 	ctl_len = msg_sys.msg_controllen; 
+ 	if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
+-		err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
++		err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
+ 		if (err)
+ 			goto out_freeiov;
+ 		ctl_buf = msg_sys.msg_control;
++		ctl_len = msg_sys.msg_controllen;
+ 	} else if (ctl_len) {
+ 		if (ctl_len > sizeof(ctl))
+ 		{

Modified: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-10-05 22:21:57 UTC (rev 4311)
+++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-10-06 04:30:19 UTC (rev 4312)
@@ -63,3 +63,6 @@
 + drivers-ide-ppp-pmac-build.dpatch
 + mempolicy-check-mode.dpatch
 + fs-ext3-nfs-parent-fix.dpatch
++ sparc-request_irq-in-RTC-fix.dpatch
++ sendmsg-stackoverflow.dpatch
++ ipv4-fragmentation-csum-handling.dpatch

Added: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sparc-request_irq-in-RTC-fix.dpatch
===================================================================
--- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sparc-request_irq-in-RTC-fix.dpatch	2005-10-05 22:21:57 UTC (rev 4311)
+++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sparc-request_irq-in-RTC-fix.dpatch	2005-10-06 04:30:19 UTC (rev 4312)
@@ -0,0 +1,32 @@
+From stable-bounces at linux.kernel.org  Tue Sep  6 15:03:44 2005
+Date: Tue, 06 Sep 2005 15:03:39 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [RTC]: Use SA_SHIRQ in sparc specific code.
+
+Based upon a report from Jason Wever.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/char/rtc.c |    5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+Index: linux-2.6.13.y/drivers/char/rtc.c
+===================================================================
+--- linux-2.6.13.y.orig/drivers/char/rtc.c
++++ linux-2.6.13.y/drivers/char/rtc.c
+@@ -938,10 +938,9 @@ found:
+ 
+ 	/*
+ 	 * XXX Interrupt pin #7 in Espresso is shared between RTC and
+-	 * PCI Slot 2 INTA# (and some INTx# in Slot 1). SA_INTERRUPT here
+-	 * is asking for trouble with add-on boards. Change to SA_SHIRQ.
++	 * PCI Slot 2 INTA# (and some INTx# in Slot 1).
+ 	 */
+-	if (request_irq(rtc_irq, rtc_interrupt, SA_INTERRUPT, "rtc", (void *)&rtc_port)) {
++	if (request_irq(rtc_irq, rtc_interrupt, SA_SHIRQ, "rtc", (void *)&rtc_port)) {
+ 		/*
+ 		 * Standard way for sparc to print irq's is to use
+ 		 * __irq_itoa(). I think for EBus it's ok to use %d.

More information about the Kernel-svn-changes mailing list