[kernel] r6569 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Mon May 15 23:06:46 UTC 2006
Author: dannf
Date: Mon May 15 23:06:45 2006
New Revision: 6569
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Log:
* net-protocol-mod-refcounts-pre.dpatch, net-protocol-mod-refcounts.dpatch
[SECURITY] Fix potential DoS (panic) cause by inconsistent reference
counting in network protocol modules.
See CAN-2005-3359
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Mon May 15 23:06:45 2006
@@ -1,3 +1,12 @@
+kernel-source-2.6.8 (2.6.8-16sarge3) UNRELEASED; urgency=high
+
+ * net-protocol-mod-refcounts-pre.dpatch, net-protocol-mod-refcounts.dpatch
+ [SECURITY] Fix potential DoS (panic) cause by inconsistent reference
+ counting in network protocol modules.
+ See CAN-2005-3359
+
+ -- dann frazier <dannf at debian.org> Mon, 15 May 2006 18:06:05 -0500
+
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
[ Simon Horman ]
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts-pre.dpatch Mon May 15 23:06:45 2006
@@ -0,0 +1,29 @@
+diff -Naru a/net/core/sock.c b/net/core/sock.c
+--- a/net/core/sock.c 2006-03-19 16:10:17 -08:00
++++ b/net/core/sock.c 2006-03-19 16:10:17 -08:00
+@@ -641,7 +641,10 @@
+ }
+
+ if (security_sk_alloc(sk, family, priority)) {
+- kmem_cache_free(slab, sk);
++ if (slab != NULL)
++ kmem_cache_free(slab, sk);
++ else
++ kfree(sk);
+ sk = NULL;
+ } else
+ __module_get(prot->owner);
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/04/19 22:41:54-07:00 acme at ghostprotocols.net
+# [SOCK]: on failure free the sock from the right place
+#
+# Signed-off-by: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+# Signed-off-by: David S. Miller <davem at davemloft.net>
+#
+# GIT: 88a66858253c57334a519a77187234867bc8605c
+#
+# net/core/sock.c
+# 2005/04/19 22:41:54-07:00 acme at ghostprotocols.net +4 -1
+#
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/net-protocol-mod-refcounts.dpatch Mon May 15 23:06:45 2006
@@ -0,0 +1,112 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com
+# [NET]: Fix module reference counts for loadable protocol modules
+#
+# I have been experimenting with loadable protocol modules, and ran into
+# several issues with module reference counting.
+#
+# The first issue was that __module_get failed at the BUG_ON check at
+# the top of the routine (checking that my module reference count was
+# not zero) when I created the first socket. When sk_alloc() is called,
+# my module reference count was still 0. When I looked at why sctp
+# didn't have this problem, I discovered that sctp creates a control
+# socket during module init (when the module ref count is not 0), which
+# keeps the reference count non-zero. This section has been updated to
+# address the point Stephen raised about checking the return value of
+# try_module_get().
+#
+# The next problem arose when my socket init routine returned an error.
+# This resulted in my module reference count being decremented below 0.
+# My socket ops->release routine was also being called. The issue here
+# is that sock_release() calls the ops->release routine and decrements
+# the ref count if sock->ops is not NULL. Since the socket probably
+# didn't get correctly initialized, this should not be done, so we will
+# set sock->ops to NULL because we will not call try_module_get().
+#
+# While searching for another bug, I also noticed that sys_accept() has
+# a possibility of doing a module_put() when it did not do an
+# __module_get so I re-ordered the call to security_socket_accept().
+#
+# Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+# Signed-off-by: David S. Miller <davem at davemloft.net>
+#
+# GIT: a79af59efd20990473d579b1d8d70bb120f0920c
+#
+# net/core/sock.c
+# 2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com +12 -8
+#
+# net/socket.c
+# 2005/09/27 15:23:38-07:00 ffilzlnx at us.ibm.com +8 -5
+#
+
+#
+# Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+#
+
+diff -urN kernel-source-2.6.8.orig/net/core/sock.c kernel-source-2.6.8/net/core/sock.c
+--- kernel-source-2.6.8.orig/net/core/sock.c 2006-05-14 21:04:59.000000000 -0600
++++ kernel-source-2.6.8/net/core/sock.c 2006-05-15 11:36:35.000000000 -0600
+@@ -624,15 +624,17 @@
+ }
+ sk->sk_slab = slab;
+
+- if (security_sk_alloc(sk, family, priority)) {
+- if (slab != NULL)
+- kmem_cache_free(slab, sk);
+- else
+- kfree(sk);
+- sk = NULL;
+- }
++ if (security_sk_alloc(sk, family, priority))
++ goto out_free;
+ }
+ return sk;
++
++out_free:
++ if (slab != NULL)
++ kmem_cache_free(slab, sk);
++ else
++ kfree(sk);
++ return NULL;
+ }
+
+ void sk_free(struct sock *sk)
+diff -urN kernel-source-2.6.8.orig/net/socket.c kernel-source-2.6.8/net/socket.c
+--- kernel-source-2.6.8.orig/net/socket.c 2006-05-14 21:05:00.000000000 -0600
++++ kernel-source-2.6.8/net/socket.c 2006-05-14 21:07:01.000000000 -0600
+@@ -1146,8 +1146,11 @@
+ if (!try_module_get(net_families[family]->owner))
+ goto out_release;
+
+- if ((i = net_families[family]->create(sock, protocol)) < 0)
++ if ((i = net_families[family]->create(sock, protocol)) < 0) {
++ sock->ops = NULL;
+ goto out_module_put;
++ }
++
+ /*
+ * Now to bump the refcnt of the [loadable] module that owns this
+ * socket at sock_release time we decrement its refcnt.
+@@ -1361,16 +1364,16 @@
+ newsock->type = sock->type;
+ newsock->ops = sock->ops;
+
+- err = security_socket_accept(sock, newsock);
+- if (err)
+- goto out_release;
+-
+ /*
+ * We don't need try_module_get here, as the listening socket (sock)
+ * has the protocol module (sock->ops->owner) held.
+ */
+ __module_get(newsock->ops->owner);
+
++ err = security_socket_accept(sock, newsock);
++ if (err)
++ goto out_release;
++
+ err = sock->ops->accept(sock, newsock, sock->file->f_flags);
+ if (err < 0)
+ goto out_release;
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Mon May 15 23:06:45 2006
@@ -0,0 +1,2 @@
++ net-protocol-mod-refcounts-pre.dpatch
++ net-protocol-mod-refcounts.dpatch
More information about the Kernel-svn-changes
mailing list