[kernel] r8945 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series

Maximilian Attems maks at alioth.debian.org
Fri Jun 8 14:37:46 UTC 2007 

Author: maks
Date: Fri Jun  8 14:37:45 2007
New Revision: 8945

Log:
add stable 2.6.21.4
.5 expected on monday


Added:
   dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4
   dists/sid/linux-2.6/debian/patches/series/5
Modified:
   dists/sid/linux-2.6/debian/changelog

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Fri Jun  8 14:37:45 2007
@@ -1,8 +1,17 @@
 linux-2.6 (2.6.21-5) UNRELEASED; urgency=low
 
+  [ Christian T. Steigies ]
   * [m68k] Add atari isa and scsi fixes
 
- -- Christian T. Steigies <cts at debian.org>  Sun, 27 May 2007 23:00:17 +0200
+  [ maximilian attems ]
+  * Add stable release 2.6.21.4:
+    - cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)
+    - random: fix error in entropy extraction (CVE-2007-2453 1 of 2)
+    - random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
+    - NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr
+      dereference (CVE-2007-2876)
+
+ -- maximilian attems <maks at debian.org>  Fri, 08 Jun 2007 16:32:36 +0200
 
 linux-2.6 (2.6.21-4) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/2.6.21.4	Fri Jun  8 14:37:45 2007
@@ -0,0 +1,161 @@
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index b9dc7aa..fa5b95b 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -760,7 +760,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+ 
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+-	int i, x;
++	int i;
+ 	__u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
+ 
+ 	sha_init(buf);
+@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * attempts to find previous ouputs), unless the hash
+ 	 * function can be inverted.
+ 	 */
+-	for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
+-		sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
+-		add_entropy_words(r, &buf[x % 5], 1);
++	for (i = 0; i < r->poolinfo->poolwords; i += 16) {
++		/* hash blocks of 16 words = 512 bits */
++		sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
++		/* feed back portion of the resulting hash */
++		add_entropy_words(r, &buf[i % 5], 1);
+ 	}
+ 
+ 	/*
+@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * portion of the pool while mixing, and hash one
+ 	 * final time.
+ 	 */
+-	__add_entropy_words(r, &buf[x % 5], 1, data);
++	__add_entropy_words(r, &buf[i % 5], 1, data);
+ 	sha_transform(buf, (__u8 *)data, buf + 5);
+ 
+ 	/*
+@@ -1022,37 +1024,44 @@ random_poll(struct file *file, poll_table * wait)
+ 	return mask;
+ }
+ 
+-static ssize_t
+-random_write(struct file * file, const char __user * buffer,
+-	     size_t count, loff_t *ppos)
++static int
++write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+-	int ret = 0;
+ 	size_t bytes;
+ 	__u32 buf[16];
+ 	const char __user *p = buffer;
+-	size_t c = count;
+ 
+-	while (c > 0) {
+-		bytes = min(c, sizeof(buf));
++	while (count > 0) {
++		bytes = min(count, sizeof(buf));
++		if (copy_from_user(&buf, p, bytes))
++			return -EFAULT;
+ 
+-		bytes -= copy_from_user(&buf, p, bytes);
+-		if (!bytes) {
+-			ret = -EFAULT;
+-			break;
+-		}
+-		c -= bytes;
++		count -= bytes;
+ 		p += bytes;
+ 
+-		add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
+-	}
+-	if (p == buffer) {
+-		return (ssize_t)ret;
+-	} else {
+-		struct inode *inode = file->f_path.dentry->d_inode;
+-	        inode->i_mtime = current_fs_time(inode->i_sb);
+-		mark_inode_dirty(inode);
+-		return (ssize_t)(p - buffer);
++		add_entropy_words(r, buf, (bytes + 3) / 4);
+ 	}
++
++	return 0;
++}
++
++static ssize_t
++random_write(struct file * file, const char __user * buffer,
++	     size_t count, loff_t *ppos)
++{
++	size_t ret;
++	struct inode *inode = file->f_path.dentry->d_inode;
++
++	ret = write_pool(&blocking_pool, buffer, count);
++	if (ret)
++		return ret;
++	ret = write_pool(&nonblocking_pool, buffer, count);
++	if (ret)
++		return ret;
++
++	inode->i_mtime = current_fs_time(inode->i_sb);
++	mark_inode_dirty(inode);
++	return (ssize_t)count;
+ }
+ 
+ static int
+@@ -1091,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file,
+ 			return -EINVAL;
+ 		if (get_user(size, p++))
+ 			return -EFAULT;
+-		retval = random_write(file, (const char __user *) p,
+-				      size, &file->f_pos);
++		retval = write_pool(&input_pool, (const char __user *)p,
++				    size);
+ 		if (retval < 0)
+ 			return retval;
+ 		credit_entropy_store(&input_pool, ent_count);
+diff --git a/kernel/cpuset.c b/kernel/cpuset.c
+index f382b0f..9e45dd1 100644
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct file *file, char __user *buf,
+ {
+ 	struct ctr_struct *ctr = file->private_data;
+ 
+-	if (*ppos + nbytes > ctr->bufsz)
+-		nbytes = ctr->bufsz - *ppos;
+-	if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+-		return -EFAULT;
+-	*ppos += nbytes;
+-	return nbytes;
++	return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+ 
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
+diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+index e694299..b86479a 100644
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack *conntrack,
+ 						SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
+diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
+index 3c80558..b53bc64 100644
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
+ 					 SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}

Added: dists/sid/linux-2.6/debian/patches/series/5
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/5	Fri Jun  8 14:37:45 2007
@@ -0,0 +1 @@
++ bugfix/2.6.21.4

More information about the Kernel-svn-changes mailing list