[kernel] r8945 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series
Maximilian Attems
maks at alioth.debian.org
Fri Jun 8 14:37:46 UTC 2007
Author: maks
Date: Fri Jun 8 14:37:45 2007
New Revision: 8945
Log:
add stable 2.6.21.4
.5 expected on monday
Added:
dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4
dists/sid/linux-2.6/debian/patches/series/5
Modified:
dists/sid/linux-2.6/debian/changelog
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Fri Jun 8 14:37:45 2007
@@ -1,8 +1,17 @@
linux-2.6 (2.6.21-5) UNRELEASED; urgency=low
+ [ Christian T. Steigies ]
* [m68k] Add atari isa and scsi fixes
- -- Christian T. Steigies <cts at debian.org> Sun, 27 May 2007 23:00:17 +0200
+ [ maximilian attems ]
+ * Add stable release 2.6.21.4:
+ - cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)
+ - random: fix error in entropy extraction (CVE-2007-2453 1 of 2)
+ - random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
+ - NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr
+ dereference (CVE-2007-2876)
+
+ -- maximilian attems <maks at debian.org> Fri, 08 Jun 2007 16:32:36 +0200
linux-2.6 (2.6.21-4) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4 Fri Jun 8 14:37:45 2007
@@ -0,0 +1,161 @@
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index b9dc7aa..fa5b95b 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -760,7 +760,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+- int i, x;
++ int i;
+ __u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
+
+ sha_init(buf);
+@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ * attempts to find previous ouputs), unless the hash
+ * function can be inverted.
+ */
+- for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
+- sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
+- add_entropy_words(r, &buf[x % 5], 1);
++ for (i = 0; i < r->poolinfo->poolwords; i += 16) {
++ /* hash blocks of 16 words = 512 bits */
++ sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
++ /* feed back portion of the resulting hash */
++ add_entropy_words(r, &buf[i % 5], 1);
+ }
+
+ /*
+@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ * portion of the pool while mixing, and hash one
+ * final time.
+ */
+- __add_entropy_words(r, &buf[x % 5], 1, data);
++ __add_entropy_words(r, &buf[i % 5], 1, data);
+ sha_transform(buf, (__u8 *)data, buf + 5);
+
+ /*
+@@ -1022,37 +1024,44 @@ random_poll(struct file *file, poll_table * wait)
+ return mask;
+ }
+
+-static ssize_t
+-random_write(struct file * file, const char __user * buffer,
+- size_t count, loff_t *ppos)
++static int
++write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+- int ret = 0;
+ size_t bytes;
+ __u32 buf[16];
+ const char __user *p = buffer;
+- size_t c = count;
+
+- while (c > 0) {
+- bytes = min(c, sizeof(buf));
++ while (count > 0) {
++ bytes = min(count, sizeof(buf));
++ if (copy_from_user(&buf, p, bytes))
++ return -EFAULT;
+
+- bytes -= copy_from_user(&buf, p, bytes);
+- if (!bytes) {
+- ret = -EFAULT;
+- break;
+- }
+- c -= bytes;
++ count -= bytes;
+ p += bytes;
+
+- add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
+- }
+- if (p == buffer) {
+- return (ssize_t)ret;
+- } else {
+- struct inode *inode = file->f_path.dentry->d_inode;
+- inode->i_mtime = current_fs_time(inode->i_sb);
+- mark_inode_dirty(inode);
+- return (ssize_t)(p - buffer);
++ add_entropy_words(r, buf, (bytes + 3) / 4);
+ }
++
++ return 0;
++}
++
++static ssize_t
++random_write(struct file * file, const char __user * buffer,
++ size_t count, loff_t *ppos)
++{
++ size_t ret;
++ struct inode *inode = file->f_path.dentry->d_inode;
++
++ ret = write_pool(&blocking_pool, buffer, count);
++ if (ret)
++ return ret;
++ ret = write_pool(&nonblocking_pool, buffer, count);
++ if (ret)
++ return ret;
++
++ inode->i_mtime = current_fs_time(inode->i_sb);
++ mark_inode_dirty(inode);
++ return (ssize_t)count;
+ }
+
+ static int
+@@ -1091,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file,
+ return -EINVAL;
+ if (get_user(size, p++))
+ return -EFAULT;
+- retval = random_write(file, (const char __user *) p,
+- size, &file->f_pos);
++ retval = write_pool(&input_pool, (const char __user *)p,
++ size);
+ if (retval < 0)
+ return retval;
+ credit_entropy_store(&input_pool, ent_count);
+diff --git a/kernel/cpuset.c b/kernel/cpuset.c
+index f382b0f..9e45dd1 100644
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct file *file, char __user *buf,
+ {
+ struct ctr_struct *ctr = file->private_data;
+
+- if (*ppos + nbytes > ctr->bufsz)
+- nbytes = ctr->bufsz - *ppos;
+- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+- return -EFAULT;
+- *ppos += nbytes;
+- return nbytes;
++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
+diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+index e694299..b86479a 100644
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack *conntrack,
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
+index 3c80558..b53bc64 100644
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
Added: dists/sid/linux-2.6/debian/patches/series/5
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/5 Fri Jun 8 14:37:45 2007
@@ -0,0 +1 @@
++ bugfix/2.6.21.4
More information about the Kernel-svn-changes
mailing list