[kernel] r11431 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 21 07:16:36 UTC 2008 

Author: dannf
Date: Wed May 21 07:16:35 2008
New Revision: 11431

Log:
bugfix/hrtimer-prevent-overrun.patch,
bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
[SECURITY] Fix potential infinite loop in hrtimer_forward on
64-bit systems
See CVE-2007-6712

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-prevent-overrun.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/18etch5

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed May 21 07:16:35 2008
@@ -4,8 +4,13 @@
     [SECURITY] Fix remotely-triggerable memory leak in the Simple
     Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
     See CVE-2008-2136
+  * bugfix/hrtimer-prevent-overrun.patch,
+    bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
+    [SECURITY] Fix potential infinite loop in hrtimer_forward on
+    64-bit systems
+    See CVE-2007-6712
 
- -- dann frazier <dannf at debian.org>  Wed, 21 May 2008 00:19:51 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 21 May 2008 01:14:18 -0600
 
 linux-2.6 (2.6.18.dfsg.1-18etch4) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-prevent-overrun.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-prevent-overrun.patch	Wed May 21 07:16:35 2008
@@ -0,0 +1,38 @@
+commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2
+Author: Thomas Gleixner <tglx at linutronix.de>
+Date:   Fri Mar 16 13:38:20 2007 -0800
+
+    [PATCH] hrtimer: prevent overrun DoS in hrtimer_forward()
+    
+    hrtimer_forward() does not check for the possible overflow of
+    timer->expires.  This can happen on 64 bit machines with large interval
+    values and results currently in an endless loop in the softirq because the
+    expiry value becomes negative and therefor the timer is expired all the
+    time.
+    
+    Check for this condition and set the expiry value to the max.  expiry time
+    in the future.  The fix should be applied to stable kernel series as well.
+    
+    Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+    Acked-by: Ingo Molnar <mingo at elte.hu>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index ec4cb9f..5e7122d 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -644,6 +644,12 @@ hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval)
+ 		orun++;
+ 	}
+ 	timer->expires = ktime_add(timer->expires, interval);
++	/*
++	 * Make sure, that the result did not wrap with a very large
++	 * interval.
++	 */
++	if (timer->expires.tv64 < 0)
++		timer->expires = ktime_set(KTIME_SEC_MAX, 0);
+ 
+ 	return orun;
+ }

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch	Wed May 21 07:16:35 2008
@@ -0,0 +1,29 @@
+commit 5379058b718ac6354ba99cc74d10c28d632dc28a
+Author: Thomas Gleixner <tglx at linutronix.de>
+Date:   Fri Mar 16 14:15:57 2007 -0800
+
+    [PATCH] fix MTIME_SEC_MAX on 32-bit
+    
+    The maximum seconds value we can handle on 32bit is LONG_MAX.
+    
+    Cc: Ingo Molnar <mingo at elte.hu>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/ktime.h b/include/linux/ktime.h
+index c68c7ac..248305b 100644
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -57,7 +57,11 @@ typedef union {
+ } ktime_t;
+ 
+ #define KTIME_MAX			((s64)~((u64)1 << 63))
+-#define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
++#if (BITS_PER_LONG == 64)
++# define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
++#else
++# define KTIME_SEC_MAX			LONG_MAX
++#endif
+ 
+ /*
+  * ktime_t definitions when using the 64-bit scalar representation:

Modified: dists/etch-security/linux-2.6/debian/patches/series/18etch5
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/18etch5	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch5	Wed May 21 07:16:35 2008
@@ -1 +1,3 @@
 + bugfix/sit-missing-kfree_skb-on-pskb_may_pull.patch
++ bugfix/hrtimer-prevent-overrun.patch
++ bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch

More information about the Kernel-svn-changes mailing list