[kernel] r5471 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at costa.debian.org
Mon Jan 16 22:32:27 UTC 2006 

Author: dannf
Date: Mon Jan 16 22:32:25 2006
New Revision: 5471

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mqueue-double-increment.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
  [SECURITY] fix buffer overflow (underflow, really) that opens multiple
* mqueue-double-increment.dpatch:
  [SECURITY] Fix double increment of mqueue_mnt->mnt_count in sys_mq_open.
  See CVE-2005-3356

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon Jan 16 22:32:25 2006
@@ -162,11 +162,15 @@
     See CVE-2005-0124
 
   * io_edgeport_overflow.dpatch:
-    [SECURITY] fix buffer overflow (underflow, really) that opens multiple 
+    [SECURITY] fix buffer overflow (underflow, really) that opens multiple
     attack vectors.
     See CVE-2004-1017
 
- -- dann frazier <dannf at debian.org>  Sun,  8 Jan 2006 18:02:38 -0700
+  * mqueue-double-increment.dpatch:
+    [SECURITY] Fix double increment of mqueue_mnt->mnt_count in sys_mq_open.
+    See CVE-2005-3356
+
+ -- dann frazier <dannf at debian.org>  Mon, 16 Jan 2006 15:29:26 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mqueue-double-increment.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mqueue-double-increment.dpatch	Mon Jan 16 22:32:25 2006
@@ -0,0 +1,137 @@
+From: Alexander Viro <aviro at redhat.com>
+Date: Sat, 14 Jan 2006 20:29:55 +0000 (-0500)
+Subject: [PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open
+X-Git-Url: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6
+
+[PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open
+
+Fixed the refcounting on failure exits in sys_mq_open() and
+cleaned the logics up.  Rules are actually pretty simple - dentry_open()
+expects vfsmount and dentry to be pinned down and it either transfers
+them into created struct file or drops them.  Old code had been very
+confused in that area - if dentry_open() had failed either in do_open()
+or do_create(), we ended up dentry and mqueue_mnt dropped twice, once
+by dentry_open() cleanup and then by sys_mq_open().
+
+Fix consists of making the rules for do_create() and do_open()
+same as for dentry_open() and updating the sys_mq_open() accordingly;
+that actually leads to more straightforward code and less work on
+normal path.
+
+Signed-off-by: Al Viro <aviro at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -599,15 +599,16 @@ static int mq_attr_ok(struct mq_attr *at
+ static struct file *do_create(struct dentry *dir, struct dentry *dentry,
+ 			int oflag, mode_t mode, struct mq_attr __user *u_attr)
+ {
+-	struct file *filp;
+ 	struct mq_attr attr;
+ 	int ret;
+ 
+-	if (u_attr != NULL) {
++	if (u_attr) {
++		ret = -EFAULT;
+ 		if (copy_from_user(&attr, u_attr, sizeof(attr)))
+-			return ERR_PTR(-EFAULT);
++			goto out;
++		ret = -EINVAL;
+ 		if (!mq_attr_ok(&attr))
+-			return ERR_PTR(-EINVAL);
++			goto out;
+ 		/* store for use during create */
+ 		dentry->d_fsdata = &attr;
+ 	}
+@@ -616,13 +617,14 @@ static struct file *do_create(struct den
+ 	ret = vfs_create(dir->d_inode, dentry, mode, NULL);
+ 	dentry->d_fsdata = NULL;
+ 	if (ret)
+-		return ERR_PTR(ret);
++		goto out;
+ 
+-	filp = dentry_open(dentry, mqueue_mnt, oflag);
+-	if (!IS_ERR(filp))
+-		dget(dentry);
++	return dentry_open(dentry, mqueue_mnt, oflag);
+ 
+-	return filp;
++out:
++	dput(dentry);
++	mntput(mqueue_mnt);
++	return ERR_PTR(ret);
+ }
+ 
+ /* Opens existing queue */
+@@ -630,20 +632,20 @@ static struct file *do_open(struct dentr
+ {
+ static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE,
+ 					MAY_READ | MAY_WRITE };
+-	struct file *filp;
+ 
+-	if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY))
++	if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) {
++		dput(dentry);
++		mntput(mqueue_mnt);
+ 		return ERR_PTR(-EINVAL);
++	}
+ 
+-	if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL))
++	if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) {
++		dput(dentry);
++		mntput(mqueue_mnt);
+ 		return ERR_PTR(-EACCES);
++	}
+ 
+-	filp = dentry_open(dentry, mqueue_mnt, oflag);
+-
+-	if (!IS_ERR(filp))
+-		dget(dentry);
+-
+-	return filp;
++	return dentry_open(dentry, mqueue_mnt, oflag);
+ }
+ 
+ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
+@@ -671,17 +673,20 @@ asmlinkage long sys_mq_open(const char _
+ 
+ 	if (oflag & O_CREAT) {
+ 		if (dentry->d_inode) {	/* entry already exists */
+-			filp = (oflag & O_EXCL) ? ERR_PTR(-EEXIST) :
+-					do_open(dentry, oflag);
++			error = -EEXIST;
++			if (oflag & O_EXCL)
++				goto out;
++			filp = do_open(dentry, oflag);
+ 		} else {
+ 			filp = do_create(mqueue_mnt->mnt_root, dentry,
+ 						oflag, mode, u_attr);
+ 		}
+-	} else
+-		filp = (dentry->d_inode) ? do_open(dentry, oflag) :
+-					ERR_PTR(-ENOENT);
+-
+-	dput(dentry);
++	} else {
++		error = -ENOENT;
++		if (!dentry->d_inode)
++			goto out;
++		filp = do_open(dentry, oflag);
++	}
+ 
+ 	if (IS_ERR(filp)) {
+ 		error = PTR_ERR(filp);
+@@ -692,8 +697,10 @@ asmlinkage long sys_mq_open(const char _
+ 	fd_install(fd, filp);
+ 	goto out_upsem;
+ 
+-out_putfd:
++out:
++	dput(dentry);
+ 	mntput(mqueue_mnt);
++out_putfd:
+ 	put_unused_fd(fd);
+ out_err:
+ 	fd = error;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	Mon Jan 16 22:32:25 2006
@@ -30,3 +30,4 @@
 + async-urb-delivery-oops-2.dpatch
 + fs_coda_coverty.dpatch
 + io_edgeport_overflow.dpatch
++ mqueue-double-increment.dpatch

More information about the Kernel-svn-changes mailing list