[kernel] r16613 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 2 13:33:36 UTC 2010
Author: dannf
Date: Thu Dec 2 13:33:31 2010
New Revision: 16613
Log:
filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Dec 1 01:14:27 2010 (r16612)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:33:31 2010 (r16613)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-26lenny2) UNRELEASED; urgency=high
+
+ * filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
+
+ -- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
+
linux-2.6 (2.6.26-26lenny1) stable-security; urgency=high
* net sched: fix kernel leak in act_police (CVE-2010-3477)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch Thu Dec 2 13:33:31 2010 (r16613)
@@ -0,0 +1,232 @@
+commit 11e32a1db45790296123d8b5cbd8f98665c982da
+Author: David S. Miller <davem at davemloft.net>
+Date: Wed Nov 10 10:38:24 2010 -0800
+
+ filter: make sure filters dont read uninitialized memory
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ There is a possibility malicious users can get limited information about
+ uninitialized stack mem array. Even if sk_run_filter() result is bound
+ to packet length (0 .. 65535), we could imagine this can be used by
+ hostile user.
+
+ Initializing mem[] array, like Dan Rosenberg suggested in his patch is
+ expensive since most filters dont even use this array.
+
+ Its hard to make the filter validation in sk_chk_filter(), because of
+ the jumps. This might be done later.
+
+ In this patch, I use a bitmap (a single long var) so that only filters
+ using mem[] loads/stores pay the price of added security checks.
+
+ For other filters, additional cost is a single instruction.
+
+ [ Since we access fentry->k a lot now, cache it in a local variable
+ and mark filter entry pointer as const. -DaveM ]
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index df37443..506a7d1 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -111,39 +111,41 @@ EXPORT_SYMBOL(sk_filter);
+ */
+ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
+ {
+- struct sock_filter *fentry; /* We walk down these */
+ void *ptr;
+ u32 A = 0; /* Accumulator */
+ u32 X = 0; /* Index Register */
+ u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
++ unsigned long memvalid = 0;
+ u32 tmp;
+ int k;
+ int pc;
+
++ BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
+ /*
+ * Process array of filter instructions.
+ */
+ for (pc = 0; pc < flen; pc++) {
+- fentry = &filter[pc];
++ const struct sock_filter *fentry = &filter[pc];
++ u32 f_k = fentry->k;
+
+ switch (fentry->code) {
+ case BPF_ALU|BPF_ADD|BPF_X:
+ A += X;
+ continue;
+ case BPF_ALU|BPF_ADD|BPF_K:
+- A += fentry->k;
++ A += f_k;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_X:
+ A -= X;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_K:
+- A -= fentry->k;
++ A -= f_k;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_X:
+ A *= X;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_K:
+- A *= fentry->k;
++ A *= f_k;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_X:
+ if (X == 0)
+@@ -151,49 +153,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ A /= X;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_K:
+- A /= fentry->k;
++ A /= f_k;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_X:
+ A &= X;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_K:
+- A &= fentry->k;
++ A &= f_k;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_X:
+ A |= X;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_K:
+- A |= fentry->k;
++ A |= f_k;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_X:
+ A <<= X;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_K:
+- A <<= fentry->k;
++ A <<= f_k;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_X:
+ A >>= X;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_K:
+- A >>= fentry->k;
++ A >>= f_k;
+ continue;
+ case BPF_ALU|BPF_NEG:
+ A = -A;
+ continue;
+ case BPF_JMP|BPF_JA:
+- pc += fentry->k;
++ pc += f_k;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_K:
+- pc += (A > fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A > f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGE|BPF_K:
+- pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A >= f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JEQ|BPF_K:
+- pc += (A == fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A == f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JSET|BPF_K:
+- pc += (A & fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A & f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_X:
+ pc += (A > X) ? fentry->jt : fentry->jf;
+@@ -208,7 +210,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ pc += (A & X) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_LD|BPF_W|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_w:
+ ptr = load_pointer(skb, k, 4, &tmp);
+ if (ptr != NULL) {
+@@ -217,7 +219,7 @@ load_w:
+ }
+ break;
+ case BPF_LD|BPF_H|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_h:
+ ptr = load_pointer(skb, k, 2, &tmp);
+ if (ptr != NULL) {
+@@ -226,7 +228,7 @@ load_h:
+ }
+ break;
+ case BPF_LD|BPF_B|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_b:
+ ptr = load_pointer(skb, k, 1, &tmp);
+ if (ptr != NULL) {
+@@ -241,32 +243,34 @@ load_b:
+ X = skb->len;
+ continue;
+ case BPF_LD|BPF_W|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_w;
+ case BPF_LD|BPF_H|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_h;
+ case BPF_LD|BPF_B|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_b;
+ case BPF_LDX|BPF_B|BPF_MSH:
+- ptr = load_pointer(skb, fentry->k, 1, &tmp);
++ ptr = load_pointer(skb, f_k, 1, &tmp);
+ if (ptr != NULL) {
+ X = (*(u8 *)ptr & 0xf) << 2;
+ continue;
+ }
+ return 0;
+ case BPF_LD|BPF_IMM:
+- A = fentry->k;
++ A = f_k;
+ continue;
+ case BPF_LDX|BPF_IMM:
+- X = fentry->k;
++ X = f_k;
+ continue;
+ case BPF_LD|BPF_MEM:
+- A = mem[fentry->k];
++ A = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_LDX|BPF_MEM:
+- X = mem[fentry->k];
++ X = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_MISC|BPF_TAX:
+ X = A;
+@@ -275,14 +279,16 @@ load_b:
+ A = X;
+ continue;
+ case BPF_RET|BPF_K:
+- return fentry->k;
++ return f_k;
+ case BPF_RET|BPF_A:
+ return A;
+ case BPF_ST:
+- mem[fentry->k] = A;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = A;
+ continue;
+ case BPF_STX:
+- mem[fentry->k] = X;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = X;
+ continue;
+ default:
+ WARN_ON(1);
Added: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:33:31 2010 (r16613)
@@ -0,0 +1 @@
++ bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
More information about the Kernel-svn-changes
mailing list