[kernel] r14053 - in dists/etch/linux-2.6.24: . debian debian/patches/bugfix/all debian/patches/bugfix/all/CVE-2009-0029 debian/patches/bugfix/sparc debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jul 30 17:35:56 UTC 2009
Author: dannf
Date: Thu Jul 30 17:35:55 2009
New Revision: 14053
Log:
* Merge 2.6.24-6~etchnhalf.8etch2
* e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
* r8169: fix crash when large packets are received (CVE-2009-1389)
* nfs4: fix MAY_EXEC handling (CVE-2009-1630)
* cifs: fix several string conversion issues (CVE-2009-1633)
* [sparc64] Fix crash when reading /proc/iomem w/ heap memory checking
(CVE-2009-1914)
* splice: fix deadlock in ocfs2 (CVE-2009-1961)
* personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
* ecryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
* ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
Added:
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
- copied unchanged from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
- copied, changed from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/series/6~etchnhalf.8etch2
Modified:
dists/etch/linux-2.6.24/ (props changed)
dists/etch/linux-2.6.24/debian/changelog
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/ (props changed)
Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch/linux-2.6.24/debian/changelog Thu Jul 30 17:31:59 2009 (r14052)
+++ dists/etch/linux-2.6.24/debian/changelog Thu Jul 30 17:35:55 2009 (r14053)
@@ -1,3 +1,9 @@
+linux-2.6.24 (2.6.24-6~etchnhalf.10) UNRELEASED; urgency=high
+
+ * Merge 2.6.24-6~etchnhalf.8etch2
+
+ -- dann frazier <dannf at debian.org> Thu, 30 Jul 2009 11:35:00 -0600
+
linux-2.6.24 (2.6.24-6~etchnhalf.9) oldstable; urgency=high
[ Aurelien Jarno ]
@@ -5,6 +11,21 @@
-- dann frazier <dannf at debian.org> Sun, 17 May 2009 23:37:31 -0600
+linux-2.6.24 (2.6.24-6~etchnhalf.8etch2) oldstable-security; urgency=high
+
+ * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
+ * r8169: fix crash when large packets are received (CVE-2009-1389)
+ * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
+ * cifs: fix several string conversion issues (CVE-2009-1633)
+ * [sparc64] Fix crash when reading /proc/iomem w/ heap memory checking
+ (CVE-2009-1914)
+ * splice: fix deadlock in ocfs2 (CVE-2009-1961)
+ * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
+ * ecryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
+ * ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
+
+ -- dann frazier <dannf at debian.org> Sat, 25 Jul 2009 15:38:54 -0600
+
linux-2.6.24 (2.6.24-6~etchnhalf.8etch1) oldstable-security; urgency=high
* Fix DoS when calling svc_listen twice on the same socket while reading
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
@@ -0,0 +1,116 @@
+commit 27b87fe52baba0a55e9723030e76fce94fabcea4
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue Apr 14 11:00:53 2009 -0400
+
+ cifs: fix unicode string area word alignment in session setup
+
+ The handling of unicode string area alignment is wrong.
+ decode_unicode_ssetup improperly assumes that it will always be preceded
+ by a pad byte. This isn't the case if the string area is already
+ word-aligned.
+
+ This problem, combined with the bad buffer sizing for the serverDomain
+ string can cause memory corruption. The bad alignment can make it so
+ that the alignment of the characters is off. This can make them
+ translate to characters that are greater than 2 bytes each. If this
+ happens we can overflow the allocation.
+
+ Fix this by fixing the alignment in CIFS_SessSetup instead so we can
+ verify it against the head of the response. Also, clean up the
+ workaround for improperly terminated strings by checking for a
+ odd-length unicode buffers and then forcibly terminating them.
+
+ Finally, resize the buffer for serverDomain. Now that we've fixed
+ the alignment, it's probably fine, but a malicious server could
+ overflow it.
+
+ A better solution for handling these strings is still needed, but
+ this should be a suitable bandaid.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ CC: Stable <stable at vger.kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/sess.c linux-source-2.6.26/fs/cifs/sess.c
+--- linux-source-2.6.26.orig/fs/cifs/sess.c 2009-05-11 12:06:56.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/sess.c 2009-05-25 23:24:01.000000000 -0600
+@@ -202,27 +202,26 @@ static int decode_unicode_ssetup(char **
+ int words_left, len;
+ char *data = *pbcc_area;
+
+-
+-
+ cFYI(1, ("bleft %d", bleft));
+
+-
+- /* SMB header is unaligned, so cifs servers word align start of
+- Unicode strings */
+- data++;
+- bleft--; /* Windows servers do not always double null terminate
+- their final Unicode string - in which case we
+- now will not attempt to decode the byte of junk
+- which follows it */
++ /*
++ * Windows servers do not always double null terminate their final
++ * Unicode string. Check to see if there are an uneven number of bytes
++ * left. If so, then add an extra NULL pad byte to the end of the
++ * response.
++ *
++ * See section 2.7.2 in "Implementing CIFS" for details
++ */
++ if (bleft % 2) {
++ data[bleft] = 0;
++ ++bleft;
++ }
+
+ words_left = bleft / 2;
+
+ /* save off server operating system */
+ len = UniStrnlen((wchar_t *) data, words_left);
+
+-/* We look for obvious messed up bcc or strings in response so we do not go off
+- the end since (at least) WIN2K and Windows XP have a major bug in not null
+- terminating last Unicode string in response */
+ if (len >= words_left)
+ return rc;
+
+@@ -260,13 +259,10 @@ static int decode_unicode_ssetup(char **
+ return rc;
+
+ kfree(ses->serverDomain);
+- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+- if (ses->serverDomain != NULL) {
++ ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
++ if (ses->serverDomain != NULL)
+ cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
+ nls_cp);
+- ses->serverDomain[2*len] = 0;
+- ses->serverDomain[(2*len) + 1] = 0;
+- }
+ data += 2 * (len + 1);
+ words_left -= len + 1;
+
+@@ -605,12 +601,18 @@ CIFS_SessSetup(unsigned int xid, struct
+ }
+
+ /* BB check if Unicode and decode strings */
+- if (smb_buf->Flags2 & SMBFLG2_UNICODE)
++ if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++ /* unicode string area must be word-aligned */
++ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
++ ++bcc_ptr;
++ --bytes_remaining;
++ }
+ rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
+- ses, nls_cp);
+- else
++ ses, nls_cp);
++ } else {
+ rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
+ ses, nls_cp);
++ }
+
+ ssetup_exit:
+ if (spnego_key)
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
@@ -0,0 +1,27 @@
+commit 7b0c8fcff47a885743125dd843db64af41af5a61
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date: Mon Apr 20 18:54:36 2009 +0530
+
+ cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows
+
+ Increase size of tmp_buf to possible maximum to avoid potential
+ overflows.
+
+ Pointed-out-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 1a8be62..ebd0da7 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -1074,7 +1074,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
+ with the rare long characters alloc more to account for
+ such multibyte target UTF-8 characters. cifs_unicode.c,
+ which actually does the conversion, has the same limit */
+- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
++ tmp_buf = kmalloc((4 * NAME_MAX) + 2, GFP_KERNEL);
+ for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
+ if (current_entry == NULL) {
+ /* evaluate whether this case is an error */
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
@@ -0,0 +1,46 @@
+commit ea30e11970a96cfe5e32c03a29332554573b4a10
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Tue Jun 2 01:29:58 2009 -0700
+
+ e1000: add missing length check to e1000 receive routine
+
+ Patch to fix bad length checking in e1000. E1000 by default does two
+ things:
+
+ 1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
+ 2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
+ doing an skb_put
+
+ Since the e1000 driver isn't written to support receiving packets that span
+ multiple rx buffers, it checks the End of Packet bit of every frame, and
+ discards it if its not set. This places us in a situation where, if we have a
+ spanning packet, the first part is discarded, but the second part is not (since
+ it is the end of packet, and it passes the EOP bit test). If the second part of
+ the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
+ underflow the length, and wind up in skb_over_panic, when we try to skb_put a
+ huge number of bytes into the skb. This amounts to a remote DOS attack through
+ careful selection of frame size in relation to interface MTU. The fix for this
+ is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
+ one ever pushed it to e1000. This is lifted straight from e1000e, and prevents
+ small frames from causing the underflow described above
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ Tested-by: Andy Gospodarek <andy at greyhouse.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c
+index b1419e2..fffb006 100644
+--- a/drivers/net/e1000/e1000_main.c
++++ b/drivers/net/e1000/e1000_main.c
+@@ -4027,8 +4027,9 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
+ PCI_DMA_FROMDEVICE);
+
+ length = le16_to_cpu(rx_desc->length);
+-
+- if (unlikely(!(status & E1000_RXD_STAT_EOP))) {
++ /* !EOP means multiple descriptors were used to store a single
++ * packet, also make sure the frame isn't just CRC only */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
+ /* All receives must fit into a single buffer */
+ E1000_DBG("%s: Receive packet consumed multiple"
+ " buffers\n", netdev->name);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch)
@@ -0,0 +1,30 @@
+Tag 11 packets are stored in the metadata section of an eCryptfs file to
+store the key signature(s) used to encrypt the file encryption key.
+After extracting the packet length field to determine the key signature
+length, a check is not performed to see if the length would exceed the
+key signature buffer size that was passed into parse_tag_11_packet().
+
+Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org
+diff -urpN linux-source-2.6.24.orig/fs/ecryptfs/keystore.c linux-source-2.6.24/fs/ecryptfs/keystore.c
+--- linux-source-2.6.24.orig/fs/ecryptfs/keystore.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/ecryptfs/keystore.c 2009-07-25 15:31:56.000000000 -0600
+@@ -870,6 +870,12 @@ parse_tag_11_packet(unsigned char *data,
+ rc = -EINVAL;
+ goto out;
+ }
++ if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++ printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++ "expected size\n");
++ rc = -EINVAL;
++ goto out;
++ }
+ if (data[(*packet_size)++] != 0x62) {
+ printk(KERN_WARNING "Unrecognizable packet\n");
+ rc = -EINVAL;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch)
@@ -0,0 +1,28 @@
+The parse_tag_3_packet function does not check if the tag 3 packet contains a
+encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/ecryptfs/keystore.c linux-source-2.6.24/fs/ecryptfs/keystore.c
+--- linux-source-2.6.24.orig/fs/ecryptfs/keystore.c 2009-07-25 15:31:56.000000000 -0600
++++ linux-source-2.6.24/fs/ecryptfs/keystore.c 2009-07-25 15:37:12.000000000 -0600
+@@ -724,6 +724,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
+ }
+ (*new_auth_tok)->session_key.encrypted_key_size =
+ (body_size - (ECRYPTFS_SALT_SIZE + 5));
++ if ((*new_auth_tok)->session_key.encrypted_key_size
++ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++ printk(KERN_WARNING "Tag 3 packet contains key larger "
++ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++ rc = -EINVAL;
++ goto out_free;
++ }
+ if (unlikely(data[(*packet_size)++] != 0x04)) {
+ printk(KERN_WARNING "Unknown version number [%d]\n",
+ data[(*packet_size) - 1]);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
@@ -0,0 +1,38 @@
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
+Author: Frank Filz <ffilzlnx at us.ibm.com>
+Date: Mon May 18 17:41:40 2009 -0400
+
+ nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+
+ The problem is that permission checking is skipped if atomic open is
+ possible, but when exec opens a file, it just opens it O_READONLY which
+ means EXEC permission will not be checked at that time.
+
+ This problem is observed by the following sequence (executed as root):
+
+ mount -t nfs4 server:/ /mnt4
+ echo "ls" >/mnt4/foo
+ chmod 744 /mnt4/foo
+ su guest -c "mnt4/foo"
+
+ Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+ Tested-by: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/nfs/dir.c linux-source-2.6.26/fs/nfs/dir.c
+--- linux-source-2.6.26.orig/fs/nfs/dir.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/nfs/dir.c 2009-05-24 14:36:52.000000000 -0600
+@@ -1949,7 +1949,8 @@ int nfs_permission(struct inode *inode,
+ /* NFSv4 has atomic_open... */
+ if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+ && nd != NULL
+- && (nd->flags & LOOKUP_OPEN))
++ && (nd->flags & LOOKUP_OPEN)
++ && !(mask & MAY_EXEC))
+ goto out;
+ break;
+ case S_IFDIR:
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch)
@@ -0,0 +1,92 @@
+commit 7bfac9ecf0585962fe13584f5cf526d8c8e76f17
+Author: Miklos Szeredi <mszeredi at suse.cz>
+Date: Mon Apr 6 17:41:00 2009 +0200
+
+ splice: fix deadlock in splicing to file
+
+ There's a possible deadlock in generic_file_splice_write(),
+ splice_from_pipe() and ocfs2_file_splice_write():
+
+ - task A calls generic_file_splice_write()
+ - this calls inode_double_lock(), which locks i_mutex on both
+ pipe->inode and target inode
+ - ordering depends on inode pointers, can happen that pipe->inode is
+ locked first
+ - __splice_from_pipe() needs more data, calls pipe_wait()
+ - this releases lock on pipe->inode, goes to interruptible sleep
+ - task B calls generic_file_splice_write(), similarly to the first
+ - this locks pipe->inode, then tries to lock inode, but that is
+ already held by task A
+ - task A is interrupted, it tries to lock pipe->inode, but fails, as
+ it is already held by task B
+ - ABBA deadlock
+
+ Fix this by explicitly ordering locks: the outer lock must be on
+ target inode and the inner lock (which is later unlocked and relocked)
+ must be on pipe->inode. This is OK, pipe inodes and target inodes
+ form two nonoverlapping sets, generic_file_splice_write() and friends
+ are not called with a target which is a pipe.
+
+ Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+ Acked-by: Mark Fasheh <mfasheh at suse.com>
+ Acked-by: Jens Axboe <jens.axboe at oracle.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/ocfs2/file.c linux-source-2.6.24/fs/ocfs2/file.c
+--- linux-source-2.6.24.orig/fs/ocfs2/file.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/ocfs2/file.c 2009-07-05 21:37:39.000000000 -0600
+@@ -2056,7 +2056,7 @@ static ssize_t ocfs2_file_splice_write(s
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name);
+
+- inode_double_lock(inode, pipe->inode);
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+
+ ret = ocfs2_rw_lock(inode, 1);
+ if (ret < 0) {
+@@ -2071,12 +2071,16 @@ static ssize_t ocfs2_file_splice_write(s
+ goto out_unlock;
+ }
+
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
+
+ out_unlock:
+ ocfs2_rw_unlock(inode, 1);
+ out:
+- inode_double_unlock(inode, pipe->inode);
++ mutex_unlock(&inode->i_mutex);
+
+ mlog_exit(ret);
+ return ret;
+diff -urpN linux-source-2.6.24.orig/fs/splice.c linux-source-2.6.24/fs/splice.c
+--- linux-source-2.6.24.orig/fs/splice.c 2008-10-10 00:11:29.000000000 -0600
++++ linux-source-2.6.24/fs/splice.c 2009-07-05 21:35:23.000000000 -0600
+@@ -738,10 +738,19 @@ ssize_t splice_from_pipe(struct pipe_ino
+ * ->commit_write. Most of the time, these expect i_mutex to
+ * be held. Since this may result in an ABBA deadlock with
+ * pipe->inode, we have to order lock acquiry here.
++ *
++ * Outer lock must be inode->i_mutex, as pipe_wait() will
++ * release and reacquire pipe->inode->i_mutex, AND inode must
++ * never be a pipe.
+ */
+- inode_double_lock(inode, pipe->inode);
++ WARN_ON(S_ISFIFO(inode->i_mode));
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = __splice_from_pipe(pipe, &sd, actor);
+- inode_double_unlock(inode, pipe->inode);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
++ mutex_unlock(&inode->i_mutex);
+
+ return ret;
+ }
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
@@ -0,0 +1,52 @@
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
+Author: Julien Tinnes <jt at cr0.org>
+Date: Fri Jun 26 20:27:40 2009 +0200
+
+ personality: fix PER_CLEAR_ON_SETID
+
+ We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+ include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+
+ The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+
+ We believe it is important to add MMAP_PAGE_ZERO, because by using this
+ personality it is possible to have the first page mapped inside a
+ process running as setuid root. This could be used in those scenarios:
+
+ - Exploiting a NULL pointer dereference issue in a setuid root binary
+ - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+ running a setuid binary that would drop privileges before giving us
+ control back (for instance by loading a user-supplied library), we
+ could get the first page mapped in a process we control. By further
+ using mremap and mprotect on this mapping, we can then completely
+ bypass the mmap_min_addr restrictions.
+
+ Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+ since on x86 32bits it will in practice disable most of the address
+ space layout randomization (only the stack will remain randomized).
+
+ Signed-off-by: Julien Tinnes <jt at cr0.org>
+ Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
+ Cc: stable at kernel.org
+ Acked-by: Christoph Hellwig <hch at infradead.org>
+ Acked-by: Kees Cook <kees at ubuntu.com>
+ Acked-by: Eugene Teo <eugene at redhat.com>
+ [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+ * Security-relevant compatibility flags that must be
+ * cleared upon setuid or setgid exec:
+ */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
++ ADDR_NO_RANDOMIZE | \
++ ADDR_COMPAT_LAYOUT | \
++ MMAP_PAGE_ZERO)
+
+ /*
+ * Personality types.
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
@@ -0,0 +1,81 @@
+commit fdd7b4c3302c93f6833e338903ea77245eb510b4
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Tue Jun 9 04:01:02 2009 -0700
+
+ r8169: fix crash when large packets are received
+
+ Michael Tokarev reported receiving a large packet could crash
+ a machine with RTL8169 NIC.
+ ( original thread at http://lkml.org/lkml/2009/6/8/192 )
+
+ Problem is this driver tells that NIC frames up to 16383 bytes
+ can be received but provides skb to rx ring allocated with
+ smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
+
+ When a frame larger than what was allocated by driver is received,
+ dma transfert can occurs past the end of buffer and corrupt
+ kernel memory.
+
+ Fix is to tell to NIC what is the maximum size a frame can be.
+
+ This bug is very old, (before git introduction, linux-2.6.10), and
+ should be backported to stable versions.
+
+ Reported-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Tested-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/r8169.c linux-source-2.6.26/drivers/net/r8169.c
+--- linux-source-2.6.26.orig/drivers/net/r8169.c 2009-05-11 12:06:52.000000000 -0600
++++ linux-source-2.6.26/drivers/net/r8169.c 2009-06-09 08:44:34.000000000 -0600
+@@ -81,7 +81,6 @@ static const int multicast_filter_limit
+ #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
+-#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
+ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
+
+@@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem
+ return cmd;
+ }
+
+-static void rtl_set_rx_max_size(void __iomem *ioaddr)
++static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
+ {
+ /* Low hurts. Let's disable the filtering. */
+- RTL_W16(RxMaxSize, 16383);
++ RTL_W16(RxMaxSize, rx_buf_sz);
+ }
+
+ static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
+@@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
+@@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ rtl_set_rx_tx_config_registers(tp);
+
+@@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
+
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+- rtl_set_rx_max_size(ioaddr);
++ rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
+
+ tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
+
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch Thu Jul 30 17:35:55 2009 (r14053, copy of r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch)
@@ -0,0 +1,34 @@
+commit 192d7a4667c6d11d1a174ec4cad9a3c5d5f9043c
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date: Wed Mar 18 23:53:16 2009 -0700
+
+ sparc64: Fix crash with /proc/iomem
+
+ When you compile kernel on Sparc64 with heap memory checking and type
+ "cat /proc/iomem", you get a crash, because pointers in struct
+ resource are uninitialized.
+
+ Most code fills struct resource with zeros, so I assume that it is
+ responsibility of the caller of request_resource to initialized it,
+ not the responsibility of request_resource functuion.
+
+ After 2.6.29 is out, there could be a check for uninitialized fields
+ added to request_resource to avoid crashes like this.
+
+ Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/sparc64/kernel/pci_common.c linux-source-2.6.26/arch/sparc64/kernel/pci_common.c
+--- linux-source-2.6.26.orig/arch/sparc64/kernel/pci_common.c 2009-05-11 12:06:56.000000000 -0600
++++ linux-source-2.6.26/arch/sparc64/kernel/pci_common.c 2009-06-09 00:05:23.000000000 -0600
+@@ -368,7 +368,7 @@ static void pci_register_iommu_region(st
+ const u32 *vdma = of_get_property(pbm->prom_node, "virtual-dma", NULL);
+
+ if (vdma) {
+- struct resource *rp = kmalloc(sizeof(*rp), GFP_KERNEL);
++ struct resource *rp = kzalloc(sizeof(*rp), GFP_KERNEL);
+
+ if (!rp) {
+ prom_printf("Cannot allocate IOMMU resource.\n");
Copied and modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2 (from r14052, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/series/6~etchnhalf.8etch2)
==============================================================================
--- releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch2/debian/patches/series/6~etchnhalf.8etch2 Thu Jul 30 17:31:59 2009 (r14052, copy source)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2 Thu Jul 30 17:35:55 2009 (r14053)
@@ -7,3 +7,4 @@
+ bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
+ bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
+ bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
++ bugfix/all/ocfs2-splice-deadlock.patch
More information about the Kernel-svn-changes
mailing list