[kernel] r6569 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Mon May 15 23:06:46 UTC 2006 

Author: dannf
Date: Mon May 15 23:06:45 2006
New Revision: 6569

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog

Log:
* net-protocol-mod-refcounts-pre.dpatch, net-protocol-mod-refcounts.dpatch
  [SECURITY] Fix potential DoS (panic) cause by inconsistent reference
  counting in network protocol modules.
  See CAN-2005-3359

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon May 15 23:06:45 2006
@@ -1,3 +1,12 @@
+kernel-source-2.6.8 (2.6.8-16sarge3) UNRELEASED; urgency=high
+
+  * net-protocol-mod-refcounts-pre.dpatch, net-protocol-mod-refcounts.dpatch
+    [SECURITY] Fix potential DoS (panic) cause by inconsistent reference
+    counting in network protocol modules.
+    See CAN-2005-3359
+
+ -- dann frazier <dannf at debian.org>  Mon, 15 May 2006 18:06:05 -0500
+
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 
   [ Simon Horman ]

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch	Mon May 15 23:06:45 2006
@@ -0,0 +1,29 @@
+diff -Naru a/net/core/sock.c b/net/core/sock.c
+--- a/net/core/sock.c	2006-03-19 16:10:17 -08:00
++++ b/net/core/sock.c	2006-03-19 16:10:17 -08:00
+@@ -641,7 +641,10 @@
+ 		}
+ 		
+ 		if (security_sk_alloc(sk, family, priority)) {
+-			kmem_cache_free(slab, sk);
++			if (slab != NULL)
++				kmem_cache_free(slab, sk);
++			else
++				kfree(sk);
+ 			sk = NULL;
+ 		} else
+ 			__module_get(prot->owner);
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/04/19 22:41:54-07:00 acme at ghostprotocols.net 
+#   [SOCK]: on failure free the sock from the right place
+#   
+#   Signed-off-by: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+#   Signed-off-by: David S. Miller <davem at davemloft.net>
+#   
+#   GIT: 88a66858253c57334a519a77187234867bc8605c
+# 
+# net/core/sock.c
+#   2005/04/19 22:41:54-07:00 acme at ghostprotocols.net +4 -1
+# 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch	Mon May 15 23:06:45 2006
@@ -0,0 +1,112 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com 
+#   [NET]: Fix module reference counts for loadable protocol modules
+#   
+#   I have been experimenting with loadable protocol modules, and ran into
+#   several issues with module reference counting.
+#   
+#   The first issue was that __module_get failed at the BUG_ON check at
+#   the top of the routine (checking that my module reference count was
+#   not zero) when I created the first socket. When sk_alloc() is called,
+#   my module reference count was still 0. When I looked at why sctp
+#   didn't have this problem, I discovered that sctp creates a control
+#   socket during module init (when the module ref count is not 0), which
+#   keeps the reference count non-zero. This section has been updated to
+#   address the point Stephen raised about checking the return value of
+#   try_module_get().
+#   
+#   The next problem arose when my socket init routine returned an error.
+#   This resulted in my module reference count being decremented below 0.
+#   My socket ops->release routine was also being called. The issue here
+#   is that sock_release() calls the ops->release routine and decrements
+#   the ref count if sock->ops is not NULL. Since the socket probably
+#   didn't get correctly initialized, this should not be done, so we will
+#   set sock->ops to NULL because we will not call try_module_get().
+#   
+#   While searching for another bug, I also noticed that sys_accept() has
+#   a possibility of doing a module_put() when it did not do an
+#   __module_get so I re-ordered the call to security_socket_accept().
+#   
+#   Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+#   Signed-off-by: David S. Miller <davem at davemloft.net>
+#   
+#   GIT: a79af59efd20990473d579b1d8d70bb120f0920c
+# 
+# net/core/sock.c
+#   2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com +12 -8
+# 
+# net/socket.c
+#   2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com +8 -5
+# 
+
+#
+# Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+#
+
+diff -urN kernel-source-2.6.8.orig/net/core/sock.c kernel-source-2.6.8/net/core/sock.c
+--- kernel-source-2.6.8.orig/net/core/sock.c	2006-05-14 21:04:59.000000000 -0600
++++ kernel-source-2.6.8/net/core/sock.c	2006-05-15 11:36:35.000000000 -0600
+@@ -624,15 +624,17 @@
+ 		}
+ 		sk->sk_slab = slab;
+ 		
+-		if (security_sk_alloc(sk, family, priority)) {
+-			if (slab != NULL)
+-				kmem_cache_free(slab, sk);
+-			else
+-				kfree(sk);
+-			sk = NULL;
+-		}
++		if (security_sk_alloc(sk, family, priority))
++			goto out_free;
+ 	}
+ 	return sk;
++
++out_free:
++	if (slab != NULL)
++		kmem_cache_free(slab, sk);
++	else
++		kfree(sk);
++	return NULL;
+ }
+ 
+ void sk_free(struct sock *sk)
+diff -urN kernel-source-2.6.8.orig/net/socket.c kernel-source-2.6.8/net/socket.c
+--- kernel-source-2.6.8.orig/net/socket.c	2006-05-14 21:05:00.000000000 -0600
++++ kernel-source-2.6.8/net/socket.c	2006-05-14 21:07:01.000000000 -0600
+@@ -1146,8 +1146,11 @@
+ 	if (!try_module_get(net_families[family]->owner))
+ 		goto out_release;
+ 
+-	if ((i = net_families[family]->create(sock, protocol)) < 0)
++	if ((i = net_families[family]->create(sock, protocol)) < 0) {
++		sock->ops = NULL;
+ 		goto out_module_put;
++	}
++
+ 	/*
+ 	 * Now to bump the refcnt of the [loadable] module that owns this
+ 	 * socket at sock_release time we decrement its refcnt.
+@@ -1361,16 +1364,16 @@
+ 	newsock->type = sock->type;
+ 	newsock->ops = sock->ops;
+ 
+-	err = security_socket_accept(sock, newsock);
+-	if (err)
+-		goto out_release;
+-
+ 	/*
+ 	 * We don't need try_module_get here, as the listening socket (sock)
+ 	 * has the protocol module (sock->ops->owner) held.
+ 	 */
+ 	__module_get(newsock->ops->owner);
+ 
++	err = security_socket_accept(sock, newsock);
++	if (err)
++		goto out_release;
++
+ 	err = sock->ops->accept(sock, newsock, sock->file->f_flags);
+ 	if (err < 0)
+ 		goto out_release;

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Mon May 15 23:06:45 2006
@@ -0,0 +1,2 @@
++ net-protocol-mod-refcounts-pre.dpatch
++ net-protocol-mod-refcounts.dpatch

More information about the Kernel-svn-changes mailing list