r4406 - in
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
. patches patches/series
Simon Horman
horms at costa.debian.org
Tue Oct 11 10:34:07 UTC 2005
Author: horms
Date: 2005-10-11 10:34:06 +0000 (Tue, 11 Oct 2005)
New Revision: 4406
Added:
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff
Modified:
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
Log:
* 192_orinoco-info-leak.diff
[SECURITY] orinoco: Information leakage due to incorrect padding
* 193_plug-names_cache-memleak.diff
Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-10-11 10:34:06 UTC (rev 4406)
@@ -70,8 +70,14 @@
Fix build problems that appear to be caused by recent binutils changes
(closes: #328707)
- -- Simon Horman <horms at debian.org> Thu, 22 Sep 2005 18:55:18 +0900
+ * 192_orinoco-info-leak.diff
+ [SECURITY] orinoco: Information leakage due to incorrect padding
+ * 193_plug-names_cache-memleak.diff
+ Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+ -- Simon Horman <horms at debian.org> Tue, 11 Oct 2005 19:32:30 +0900
+
kernel-source-2.4.27 (2.4.27-11) unstable; urgency=low
[ Simon Horman ]
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff 2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/192_orinoco-info-leak.diff 2005-10-11 10:34:06 UTC (rev 4406)
@@ -0,0 +1,52 @@
+From stable-bounces at linux.kernel.org Tue Oct 4 20:36:20 2005
+Date: Tue, 04 Oct 2005 21:33:10 -0400
+From: Pavel Roskin <proski at gnu.org>
+To: orinoco-devel <orinoco-devel at lists.sourceforge.net>, NetDev <netdev at vger.kernel.org>
+Cc: Meder Kydyraliev <meder at o0o.nu>
+Subject: [PATCH] orinoco: Information leakage due to incorrect padding
+
+The orinoco driver can send uninitialized data exposing random pieces of
+the system memory. This happens because data is not padded with zeroes
+when its length needs to be increased.
+
+Reported by Meder Kydyraliev <meder at o0o.nu>
+
+Signed-off-by: Pavel Roskin <proski at gnu.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/net/wireless/orinoco.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+Backported to Debian's 2.6.8 by Horms
+
+--- from-0001/drivers/net/wireless/orinoco.c
++++ to-0003/drivers/net/wireless/orinoco.c 2005-10-11 15:26:22.000000000 +0900
+@@ -2358,9 +2358,14 @@ orinoco_xmit(struct sk_buff *skb, struct
+ return 0;
+ }
+
+- /* Length of the packet body */
+- /* FIXME: what if the skb is smaller than this? */
+- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
++ /* Check packet length, pad short packets, round up odd length */
++ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
++ if (skb->len < len) {
++ skb = skb_padto(skb, len);
++ if (skb == NULL)
++ goto fail;
++ }
++ len -= ETH_HLEN;
+
+ eh = (struct ethhdr *)skb->data;
+
+@@ -2411,7 +2416,8 @@ orinoco_xmit(struct sk_buff *skb, struct
+ }
+
+ /* Round up for odd length packets */
+- err = hermes_bap_pwrite(hw, USER_BAP, p, RUP_EVEN(data_len), txfid, data_off);
++ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
++ txfid, data_off);
+ if (err) {
+ printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
+ dev->name, err);
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff 2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/193_plug-names_cache-memleak.diff 2005-10-11 10:34:06 UTC (rev 4406)
@@ -0,0 +1,51 @@
+From: Linus Torvalds <torvalds at osdl.org>
+Date: Fri, 7 Oct 2005 04:54:21 +0000 (-0700)
+Subject: [PATCH] Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
+
+The nameidata "last.name" is always allocated with "__getname()", and
+should always be free'd with "__putname()".
+
+Using "putname()" without the underscores will leak memory, because the
+allocation will have been hidden from the AUDITSYSCALL code.
+
+Arguably the real bug is that the AUDITSYSCALL code is really broken,
+but in the meantime this fixes the problem people see.
+
+Reported by Robert Derr, patch by Rick Lindsley.
+
+Acked-by: Al Viro <viro at ftp.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ fs/namei.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Backported to Debian's 2.4.27 by Horms
+
+--- from-0001/fs/namei.c
++++ to-work/fs/namei.c 2005-10-11 18:23:56.000000000 +0900
+@@ -1198,18 +1198,18 @@ do_link:
+ if (nd->last_type != LAST_NORM)
+ goto exit;
+ if (nd->last.name[nd->last.len]) {
+- putname(nd->last.name);
++ __putname(nd->last.name);
+ goto exit;
+ }
+ error = -ELOOP;
+ if (count++==32) {
+- putname(nd->last.name);
++ __putname(nd->last.name);
+ goto exit;
+ }
+ dir = nd->dentry;
+ down(&dir->d_inode->i_sem);
+ dentry = lookup_hash(&nd->last, nd->dentry);
+- putname(nd->last.name);
++ __putname(nd->last.name);
+ goto do_last;
+ }
+
Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12 2005-10-11 10:28:05 UTC (rev 4405)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12 2005-10-11 10:34:06 UTC (rev 4406)
@@ -8,3 +8,5 @@
- 143_outs.diff
+ 190_outs-2.diff
+ 191_build_foo.diff
++ 192_orinoco-info-leak.diff
++ 193_plug-names_cache-memleak.diff
More information about the Kernel-svn-changes
mailing list