[kernel] r16219 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 29 20:10:05 UTC 2010
Author: dannf
Date: Sun Aug 29 20:09:59 2010
New Revision: 16219
Log:
net sched: fix some kernel memory leaks (CVE-2010-2942)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/25
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Sun Aug 29 20:09:43 2010 (r16218)
+++ dists/lenny/linux-2.6/debian/changelog Sun Aug 29 20:09:59 2010 (r16219)
@@ -13,6 +13,7 @@
[ dann frazier ]
* Add guard page for stacks that grow up, an additional fix for
CVE-2010-2240
+ * net sched: fix some kernel memory leaks (CVE-2010-2942)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Jul 2010 01:36:02 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch Sun Aug 29 20:09:59 2010 (r16219)
@@ -0,0 +1,106 @@
+commit 502718d1a8a4013898524be66ebec58102cb50ed
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Mon Aug 16 20:04:22 2010 +0000
+
+ net sched: fix some kernel memory leaks
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ We leak at least 32bits of kernel memory to user land in tc dump,
+ because we dont init all fields (capab ?) of the dumped structure.
+
+ Use C99 initializers so that holes and non explicit fields are zeroed.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
+index 422872c..297cddd 100644
+--- a/net/sched/act_gact.c
++++ b/net/sched/act_gact.c
+@@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result
+ static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+- struct tc_gact opt;
+ struct tcf_gact *gact = a->priv;
++ struct tc_gact opt = {
++ .index = gact->tcf_index,
++ .refcnt = gact->tcf_refcnt - ref,
++ .bindcnt = gact->tcf_bindcnt - bind,
++ .action = gact->tcf_action,
++ };
+ struct tcf_t t;
+
+- opt.index = gact->tcf_index;
+- opt.refcnt = gact->tcf_refcnt - ref;
+- opt.bindcnt = gact->tcf_bindcnt - bind;
+- opt.action = gact->tcf_action;
+ NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt);
+ #ifdef CONFIG_GACT_PROB
+ if (gact->tcfg_ptype) {
+- struct tc_gact_p p_opt;
+- p_opt.paction = gact->tcfg_paction;
+- p_opt.pval = gact->tcfg_pval;
+- p_opt.ptype = gact->tcfg_ptype;
++ struct tc_gact_p p_opt = {
++ .paction = gact->tcfg_paction,
++ .pval = gact->tcfg_pval,
++ .ptype = gact->tcfg_ptype,
++ };
++
+ NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt);
+ }
+ #endif
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 1aff005..4d50b93 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -205,15 +205,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_mirred *m = a->priv;
+- struct tc_mirred opt;
++ struct tc_mirred opt = {
++ .index = m->tcf_index,
++ .action = m->tcf_action,
++ .refcnt = m->tcf_refcnt - ref,
++ .bindcnt = m->tcf_bindcnt - bind,
++ .eaction = m->tcfm_eaction,
++ .ifindex = m->tcfm_ifindex,
++ };
+ struct tcf_t t;
+
+- opt.index = m->tcf_index;
+- opt.action = m->tcf_action;
+- opt.refcnt = m->tcf_refcnt - ref;
+- opt.bindcnt = m->tcf_bindcnt - bind;
+- opt.eaction = m->tcfm_eaction;
+- opt.ifindex = m->tcfm_ifindex;
+ NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt);
+ t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install);
+ t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse);
+diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
+index 1d421d0..1373c2c 100644
+--- a/net/sched/act_simple.c
++++ b/net/sched/act_simple.c
+@@ -163,13 +163,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_defact *d = a->priv;
+- struct tc_defact opt;
++ struct tc_defact opt = {
++ .index = d->tcf_index,
++ .refcnt = d->tcf_refcnt - ref,
++ .bindcnt = d->tcf_bindcnt - bind,
++ .action = d->tcf_action,
++ };
+ struct tcf_t t;
+
+- opt.index = d->tcf_index;
+- opt.refcnt = d->tcf_refcnt - ref;
+- opt.bindcnt = d->tcf_bindcnt - bind;
+- opt.action = d->tcf_action;
+ NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt);
+ NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata);
+ t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install);
Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 20:09:43 2010 (r16218)
+++ dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 20:09:59 2010 (r16219)
@@ -5,3 +5,4 @@
+ features/all/e1000e/e1000e-add-support-for-the-82567LM-4-device.patch
+ features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
+ bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
++ bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
More information about the Kernel-svn-changes
mailing list