[kernel] r16219 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Aug 29 20:10:05 UTC 2010

Author: dannf
Date: Sun Aug 29 20:09:59 2010
New Revision: 16219

Log:
net sched: fix some kernel memory leaks (CVE-2010-2942)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 20:09:43 2010	(r16218)
+++ dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 20:09:59 2010	(r16219)
@@ -13,6 +13,7 @@
   [ dann frazier ]
   * Add guard page for stacks that grow up, an additional fix for
     CVE-2010-2240
+  * net sched: fix some kernel memory leaks (CVE-2010-2942)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Jul 2010 01:36:02 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch	Sun Aug 29 20:09:59 2010	(r16219)
@@ -0,0 +1,106 @@
+commit 502718d1a8a4013898524be66ebec58102cb50ed
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Mon Aug 16 20:04:22 2010 +0000
+
+    net sched: fix some kernel memory leaks
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    We leak at least 32bits of kernel memory to user land in tc dump,
+    because we dont init all fields (capab ?) of the dumped structure.
+    
+    Use C99 initializers so that holes and non explicit fields are zeroed.
+    
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
+index 422872c..297cddd 100644
+--- a/net/sched/act_gact.c
++++ b/net/sched/act_gact.c
+@@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result
+ static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+-	struct tc_gact opt;
+ 	struct tcf_gact *gact = a->priv;
++	struct tc_gact opt = {
++		.index   = gact->tcf_index,
++		.refcnt  = gact->tcf_refcnt - ref,
++		.bindcnt = gact->tcf_bindcnt - bind,
++		.action  = gact->tcf_action,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = gact->tcf_index;
+-	opt.refcnt = gact->tcf_refcnt - ref;
+-	opt.bindcnt = gact->tcf_bindcnt - bind;
+-	opt.action = gact->tcf_action;
+ 	NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt);
+ #ifdef CONFIG_GACT_PROB
+ 	if (gact->tcfg_ptype) {
+-		struct tc_gact_p p_opt;
+-		p_opt.paction = gact->tcfg_paction;
+-		p_opt.pval = gact->tcfg_pval;
+-		p_opt.ptype = gact->tcfg_ptype;
++		struct tc_gact_p p_opt = {
++			.paction = gact->tcfg_paction,
++			.pval    = gact->tcfg_pval,
++			.ptype   = gact->tcfg_ptype,
++		};
++
+ 		NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt);
+ 	}
+ #endif
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 1aff005..4d50b93 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -205,15 +205,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_mirred *m = a->priv;
+-	struct tc_mirred opt;
++	struct tc_mirred opt = {
++		.index   = m->tcf_index,
++		.action  = m->tcf_action,
++		.refcnt  = m->tcf_refcnt - ref,
++		.bindcnt = m->tcf_bindcnt - bind,
++		.eaction = m->tcfm_eaction,
++		.ifindex = m->tcfm_ifindex,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = m->tcf_index;
+-	opt.action = m->tcf_action;
+-	opt.refcnt = m->tcf_refcnt - ref;
+-	opt.bindcnt = m->tcf_bindcnt - bind;
+-	opt.eaction = m->tcfm_eaction;
+-	opt.ifindex = m->tcfm_ifindex;
+ 	NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt);
+ 	t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install);
+ 	t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse);
+diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
+index 1d421d0..1373c2c 100644
+--- a/net/sched/act_simple.c
++++ b/net/sched/act_simple.c
+@@ -163,13 +163,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_defact *d = a->priv;
+-	struct tc_defact opt;
++	struct tc_defact opt = {
++		.index   = d->tcf_index,
++		.refcnt  = d->tcf_refcnt - ref,
++		.bindcnt = d->tcf_bindcnt - bind,
++		.action  = d->tcf_action,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = d->tcf_index;
+-	opt.refcnt = d->tcf_refcnt - ref;
+-	opt.bindcnt = d->tcf_bindcnt - bind;
+-	opt.action = d->tcf_action;
+ 	NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt);
+ 	NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata);
+ 	t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install);

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 20:09:43 2010	(r16218)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 20:09:59 2010	(r16219)
@@ -5,3 +5,4 @@
 + features/all/e1000e/e1000e-add-support-for-the-82567LM-4-device.patch
 + features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
 + bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
++ bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch

