r4406 - in dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Simon Horman horms at costa.debian.org
Tue Oct 11 10:34:07 UTC 2005 

Author: horms
Date: 2005-10-11 10:34:06 +0000 (Tue, 11 Oct 2005)
New Revision: 4406

Added:
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff
Modified:
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
Log:
  * 192_orinoco-info-leak.diff
    [SECURITY] orinoco: Information leakage due to incorrect padding

  * 193_plug-names_cache-memleak.diff
    Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL


Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-10-11 10:34:06 UTC (rev 4406)
@@ -70,8 +70,14 @@
     Fix build problems that appear to be caused by recent binutils changes
     (closes: #328707)
 
- -- Simon Horman <horms at debian.org>  Thu, 22 Sep 2005 18:55:18 +0900
+  * 192_orinoco-info-leak.diff
+    [SECURITY] orinoco: Information leakage due to incorrect padding
 
+  * 193_plug-names_cache-memleak.diff
+    Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+ -- Simon Horman <horms at debian.org>  Tue, 11 Oct 2005 19:32:30 +0900
+
 kernel-source-2.4.27 (2.4.27-11) unstable; urgency=low
 
   [ Simon Horman ]

Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff	2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff	2005-10-11 10:34:06 UTC (rev 4406)
@@ -0,0 +1,52 @@
+From stable-bounces at linux.kernel.org  Tue Oct  4 20:36:20 2005
+Date: Tue, 04 Oct 2005 21:33:10 -0400
+From: Pavel Roskin <proski at gnu.org>
+To: orinoco-devel <orinoco-devel at lists.sourceforge.net>, NetDev <netdev at vger.kernel.org>
+Cc: Meder Kydyraliev <meder at o0o.nu>
+Subject: [PATCH] orinoco: Information leakage due to incorrect padding
+
+The orinoco driver can send uninitialized data exposing random pieces of
+the system memory.  This happens because data is not padded with zeroes
+when its length needs to be increased.
+
+Reported by Meder Kydyraliev <meder at o0o.nu>
+
+Signed-off-by: Pavel Roskin <proski at gnu.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/net/wireless/orinoco.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+Backported to Debian's 2.6.8 by Horms
+
+--- from-0001/drivers/net/wireless/orinoco.c
++++ to-0003/drivers/net/wireless/orinoco.c	2005-10-11 15:26:22.000000000 +0900
+@@ -2358,9 +2358,14 @@ orinoco_xmit(struct sk_buff *skb, struct
+ 		return 0;
+ 	}
+ 
+-	/* Length of the packet body */
+-	/* FIXME: what if the skb is smaller than this? */
+-	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
++	/* Check packet length, pad short packets, round up odd length */
++	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
++	if (skb->len < len) {
++		skb = skb_padto(skb, len);
++		if (skb == NULL)
++			goto fail;
++	}
++	len -= ETH_HLEN;
+ 
+ 	eh = (struct ethhdr *)skb->data;
+ 
+@@ -2411,7 +2416,8 @@ orinoco_xmit(struct sk_buff *skb, struct
+ 	}
+ 
+ 	/* Round up for odd length packets */
+-	err = hermes_bap_pwrite(hw, USER_BAP, p, RUP_EVEN(data_len), txfid, data_off);
++	err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
++				txfid, data_off);
+ 	if (err) {
+ 		printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
+ 		       dev->name, err);

Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff	2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff	2005-10-11 10:34:06 UTC (rev 4406)
@@ -0,0 +1,51 @@
+From: Linus Torvalds <torvalds at osdl.org>
+Date: Fri, 7 Oct 2005 04:54:21 +0000 (-0700)
+Subject: [PATCH] Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+The nameidata "last.name" is always allocated with "__getname()", and
+should always be free'd with "__putname()".
+
+Using "putname()" without the underscores will leak memory, because the
+allocation will have been hidden from the AUDITSYSCALL code.
+
+Arguably the real bug is that the AUDITSYSCALL code is really broken,
+but in the meantime this fixes the problem people see.
+
+Reported by Robert Derr, patch by Rick Lindsley.
+
+Acked-by: Al Viro <viro at ftp.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ fs/namei.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Backported to Debian's 2.4.27 by Horms
+
+--- from-0001/fs/namei.c
++++ to-work/fs/namei.c	2005-10-11 18:23:56.000000000 +0900
+@@ -1198,18 +1198,18 @@ do_link:
+ 	if (nd->last_type != LAST_NORM)
+ 		goto exit;
+ 	if (nd->last.name[nd->last.len]) {
+-		putname(nd->last.name);
++		__putname(nd->last.name);
+ 		goto exit;
+ 	}
+ 	error = -ELOOP;
+ 	if (count++==32) {
+-		putname(nd->last.name);
++		__putname(nd->last.name);
+ 		goto exit;
+ 	}
+ 	dir = nd->dentry;
+ 	down(&dir->d_inode->i_sem);
+ 	dentry = lookup_hash(&nd->last, nd->dentry);
+-	putname(nd->last.name);
++	__putname(nd->last.name);
+ 	goto do_last;
+ }
+ 

Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12	2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12	2005-10-11 10:34:06 UTC (rev 4406)
@@ -8,3 +8,5 @@
 - 143_outs.diff
 + 190_outs-2.diff
 + 191_build_foo.diff
++ 192_orinoco-info-leak.diff
++ 193_plug-names_cache-memleak.diff

More information about the Kernel-svn-changes mailing list