[kernel] r15562 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Apr 27 06:06:56 UTC 2010
Author: dannf
Date: Tue Apr 27 06:06:50 2010
New Revision: 15562
Log:
tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Apr 27 05:49:07 2010 (r15561)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Apr 27 06:06:50 2010 (r15562)
@@ -9,6 +9,7 @@
* NFS: Fix an Oops when truncating a file (CVE-2010-1087)
* fix LOOKUP_FOLLOW on automount "symlinks" (CVE-2010-1088)
* tty: release_one_tty() forgets to put pids (CVE-2010-1162)
+ * tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
[ Ben Hutchings ]
* [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch Tue Apr 27 06:06:50 2010 (r15562)
@@ -0,0 +1,211 @@
+commit cfa124a2725e84dd845805672f170aa89444b52e
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Wed Mar 3 08:31:23 2010 +0000
+
+ tipc: Fix oops on send prior to entering networked mode (v3)
+
+ Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE
+
+ user programs can oops the kernel by sending datagrams via AF_TIPC prior to
+ entering networked mode. The following backtrace has been observed:
+
+ ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client"
+ [exception RIP: tipc_node_select_next_hop+90]
+ RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202
+ RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001
+ RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000
+ R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008
+ R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206
+ RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000
+ RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003
+ RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30
+ ORIG_RAX: 000000000000002c CS: 0033 SS: 002b
+
+ What happens is that, when the tipc module in inserted it enters a standalone
+ node mode in which communication to its own address is allowed <0.0.0> but not
+ to other addresses, since the appropriate data structures have not been
+ allocated yet (specifically the tipc_net pointer). There is nothing stopping a
+ client from trying to send such a message however, and if that happens, we
+ attempt to dereference tipc_net.zones while the pointer is still NULL, and
+ explode. The fix is pretty straightforward. Since these oopses all arise from
+ the dereference of global pointers prior to their assignment to allocated
+ values, and since these allocations are small (about 2k total), lets convert
+ these pointers to static arrays of the appropriate size. All the accesses to
+ these bits consider 0/NULL to be a non match when searching, so all the lookups
+ still work properly, and there is no longer a chance of a bad dererence
+ anywhere. As a bonus, this lets us eliminate the setup/teardown routines for
+ those pointers, and elimnates the need to preform any locking around them to
+ prevent access while their being allocated/freed.
+
+ I've updated the tipc_net structure to behave this way to fix the exact reported
+ problem, and also fixed up the tipc_bearers and media_list arrays to fix an
+ obvious simmilar problem that arises from issuing tipc-config commands to
+ manipulate bearers/links prior to entering networked mode
+
+ I've tested this for a few hours by running the sanity tests and stress test
+ with the tipcutils suite, and nothing has fallen over. There have been a few
+ lockdep warnings, but those were there before, and can be addressed later, as
+ they didn't actually result in any deadlock.
+
+ Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ CC: Allan Stephens <allan.stephens at windriver.com>
+ CC: David S. Miller <davem at davemloft.net>
+ CC: tipc-discussion at lists.sourceforge.net
+
+ bearer.c | 37 ++++++-------------------------------
+ bearer.h | 2 +-
+ net.c | 25 ++++---------------------
+ 3 files changed, 11 insertions(+), 53 deletions(-)
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 271a375..e5ebebd 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -45,10 +45,10 @@
+
+ #define MAX_ADDR_STR 32
+
+-static struct media *media_list = NULL;
++static struct media media_list[MAX_MEDIA];
+ static u32 media_count = 0;
+
+-struct bearer *tipc_bearers = NULL;
++struct bearer tipc_bearers[MAX_BEARERS];
+
+ /**
+ * media_name_valid - validate media name
+@@ -108,9 +108,11 @@ int tipc_register_media(u32 media_type,
+ int res = -EINVAL;
+
+ write_lock_bh(&tipc_net_lock);
+- if (!media_list)
+- goto exit;
+
++ if (tipc_mode != TIPC_NET_MODE) {
++ warn("Media <%s> rejected, not in networked mode yet\n", name);
++ goto exit;
++ }
+ if (!media_name_valid(name)) {
+ warn("Media <%s> rejected, illegal name\n", name);
+ goto exit;
+@@ -660,33 +662,10 @@ int tipc_disable_bearer(const char *name)
+
+
+
+-int tipc_bearer_init(void)
+-{
+- int res;
+-
+- write_lock_bh(&tipc_net_lock);
+- tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC);
+- media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC);
+- if (tipc_bearers && media_list) {
+- res = TIPC_OK;
+- } else {
+- kfree(tipc_bearers);
+- kfree(media_list);
+- tipc_bearers = NULL;
+- media_list = NULL;
+- res = -ENOMEM;
+- }
+- write_unlock_bh(&tipc_net_lock);
+- return res;
+-}
+-
+ void tipc_bearer_stop(void)
+ {
+ u32 i;
+
+- if (!tipc_bearers)
+- return;
+-
+ for (i = 0; i < MAX_BEARERS; i++) {
+ if (tipc_bearers[i].active)
+ tipc_bearers[i].publ.blocked = 1;
+@@ -695,10 +674,6 @@ void tipc_bearer_stop(void)
+ if (tipc_bearers[i].active)
+ bearer_disable(tipc_bearers[i].publ.name);
+ }
+- kfree(tipc_bearers);
+- kfree(media_list);
+- tipc_bearers = NULL;
+- media_list = NULL;
+ media_count = 0;
+ }
+
+diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
+index 6a36b66..b250414 100644
+--- a/net/tipc/bearer.h
++++ b/net/tipc/bearer.h
+@@ -114,7 +114,7 @@ struct bearer_name {
+
+ struct link;
+
+-extern struct bearer *tipc_bearers;
++extern struct bearer tipc_bearers[];
+
+ void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a);
+ struct sk_buff *tipc_media_get_names(void);
+diff --git a/net/tipc/net.c b/net/tipc/net.c
+index c39c762..d9830c0 100644
+--- a/net/tipc/net.c
++++ b/net/tipc/net.c
+@@ -116,7 +116,8 @@
+ */
+
+ DEFINE_RWLOCK(tipc_net_lock);
+-struct network tipc_net = { NULL };
++struct _zone *tipc_zones[256] = { NULL, };
++struct network tipc_net = { tipc_zones };
+
+ struct node *tipc_net_select_remote_node(u32 addr, u32 ref)
+ {
+@@ -158,28 +159,12 @@ void tipc_net_send_external_routes(u32 dest)
+ }
+ }
+
+-static int net_init(void)
+-{
+- memset(&tipc_net, 0, sizeof(tipc_net));
+- tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC);
+- if (!tipc_net.zones) {
+- return -ENOMEM;
+- }
+- return TIPC_OK;
+-}
+-
+ static void net_stop(void)
+ {
+ u32 z_num;
+
+- if (!tipc_net.zones)
+- return;
+-
+- for (z_num = 1; z_num <= tipc_max_zones; z_num++) {
++ for (z_num = 1; z_num <= tipc_max_zones; z_num++)
+ tipc_zone_delete(tipc_net.zones[z_num]);
+- }
+- kfree(tipc_net.zones);
+- tipc_net.zones = NULL;
+ }
+
+ static void net_route_named_msg(struct sk_buff *buf)
+@@ -278,9 +263,7 @@ int tipc_net_start(void)
+ tipc_named_reinit();
+ tipc_port_reinit();
+
+- if ((res = tipc_bearer_init()) ||
+- (res = net_init()) ||
+- (res = tipc_cltr_init()) ||
++ if ((res = tipc_cltr_init()) ||
+ (res = tipc_bclink_init())) {
+ return res;
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Tue Apr 27 05:49:07 2010 (r15561)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Tue Apr 27 06:06:50 2010 (r15562)
@@ -9,3 +9,4 @@
+ bugfix/all/nfs-fix-an-oops-when-truncating-a-file.patch
+ bugfix/all/fix-LOOKUP_FOLLOW-on-automount-symlinks.patch
+ bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
++ bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
More information about the Kernel-svn-changes
mailing list