[kernel] r15129 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Fri Feb 5 03:47:35 UTC 2010

Author: dannf
Date: Fri Feb  5 03:47:33 2010
New Revision: 15129

Log:
connector: Delete buggy notification code. (CVE-2010-0410)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
      - copied, changed from r15128, dists/trunk/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Fri Feb  5 03:30:28 2010	(r15128)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Feb  5 03:47:33 2010	(r15129)
@@ -2,6 +2,7 @@
 
   * Additional fixes for CVE-2010-0307
   * KVM: PIT: control word is write-only (CVE-2010-0309)
+  * connector: Delete buggy notification code. (CVE-2010-0410)
 
  -- dann frazier <dannf at debian.org>  Thu, 04 Feb 2010 17:43:31 -0700
 

Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch (from r15128, dists/trunk/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch)
==============================================================================
--- dists/trunk/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch	Fri Feb  5 03:30:28 2010	(r15128, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch	Fri Feb  5 03:47:33 2010	(r15129)
@@ -38,10 +38,13 @@
  include/linux/connector.h     |   32 -------
  2 files changed, 207 deletions(-)
 
---- a/drivers/connector/connector.c
-+++ b/drivers/connector/connector.c
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/connector/connector.c linux-source-2.6.26/drivers/connector/connector.c
+--- linux-source-2.6.26.orig/drivers/connector/connector.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/connector/connector.c	2010-02-04 20:33:57.000000000 -0700
 @@ -36,17 +36,6 @@ MODULE_LICENSE("GPL");
- MODULE_AUTHOR("Evgeniy Polyakov <zbr at ioremap.net>");
+ MODULE_AUTHOR("Evgeniy Polyakov <johnpol at 2ka.mipt.ru>");
  MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
  
 -static u32 cn_idx = CN_IDX_CONNECTOR;
@@ -58,7 +61,7 @@
  static struct cn_dev cdev;
  
  static int cn_already_initialized;
-@@ -210,54 +199,6 @@ static void cn_rx_skb(struct sk_buff *__
+@@ -215,54 +204,6 @@ static void cn_rx_skb(struct sk_buff *__
  }
  
  /*
@@ -84,7 +87,7 @@
 -
 -		req = (struct cn_notify_req *)ctl->data;
 -		for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
--			if (id->idx >= req->first &&
+-			if (id->idx >= req->first && 
 -					id->idx < req->first + req->range) {
 -				idx_found = 1;
 -				break;
@@ -92,7 +95,7 @@
 -		}
 -
 -		for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
--			if (id->val >= req->first &&
+-			if (id->val >= req->first && 
 -					id->val < req->first + req->range) {
 -				val_found = 1;
 -				break;
@@ -113,7 +116,7 @@
   * Callback add routing - adds callback with given ID and name.
   * If there is registered callback with the same ID it will not be added.
   *
-@@ -276,8 +217,6 @@ int cn_add_callback(struct cb_id *id, ch
+@@ -280,8 +221,6 @@ int cn_add_callback(struct cb_id *id, ch
  	if (err)
  		return err;
  
@@ -122,7 +125,7 @@
  	return 0;
  }
  EXPORT_SYMBOL_GPL(cn_add_callback);
-@@ -295,111 +234,9 @@ void cn_del_callback(struct cb_id *id)
+@@ -299,112 +238,9 @@ void cn_del_callback(struct cb_id *id)
  	struct cn_dev *dev = &cdev;
  
  	cn_queue_del_callback(dev->cbdev, id);
@@ -177,8 +180,9 @@
 - *
 - * Used for notification of a request's processing.
 - */
--static void cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+-static void cn_callback(void *data)
 -{
+-	struct cn_msg *msg = data;
 -	struct cn_ctl_msg *ctl;
 -	struct cn_ctl_entry *ent;
 -	u32 size;
@@ -234,7 +238,7 @@
  static int cn_proc_show(struct seq_file *m, void *v)
  {
  	struct cn_queue_dev *dev = cdev.cbdev;
-@@ -437,11 +274,8 @@ static const struct file_operations cn_f
+@@ -442,11 +278,8 @@ static const struct file_operations cn_f
  static int __devinit cn_init(void)
  {
  	struct cn_dev *dev = &cdev;
@@ -246,8 +250,8 @@
  
  	dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR,
  					 CN_NETLINK_USERS + 0xf,
-@@ -457,14 +291,6 @@ static int __devinit cn_init(void)
- 
+@@ -462,14 +295,6 @@ static int __devinit cn_init(void)
+ 	
  	cn_already_initialized = 1;
  
 -	err = cn_add_callback(&dev->id, "connector", &cn_callback);
@@ -261,7 +265,7 @@
  	proc_net_fops_create(&init_net, "connector", S_IRUGO, &cn_file_ops);
  
  	return 0;
-@@ -478,7 +304,6 @@ static void __devexit cn_fini(void)
+@@ -483,7 +308,6 @@ static void __devexit cn_fini(void)
  
  	proc_net_remove(&init_net, "connector");
  
@@ -269,11 +273,12 @@
  	cn_queue_free_dev(dev->cbdev);
  	netlink_kernel_release(dev->nls);
  }
---- a/include/linux/connector.h
-+++ b/include/linux/connector.h
+diff -urpN linux-source-2.6.26.orig/include/linux/connector.h linux-source-2.6.26/include/linux/connector.h
+--- linux-source-2.6.26.orig/include/linux/connector.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/connector.h	2010-02-04 20:31:20.000000000 -0700
 @@ -24,9 +24,6 @@
  
- #include <linux/types.h>
+ #include <asm/types.h>
  
 -#define CN_IDX_CONNECTOR		0xffffffff
 -#define CN_VAL_CONNECTOR		0xffffffff
@@ -281,7 +286,7 @@
  /*
   * Process Events connector unique ids -- used for message routing
   */
-@@ -73,30 +70,6 @@ struct cn_msg {
+@@ -68,30 +65,6 @@ struct cn_msg {
  	__u8 data[0];
  };
  
@@ -312,7 +317,7 @@
  #ifdef __KERNEL__
  
  #include <asm/atomic.h>
-@@ -149,11 +122,6 @@ struct cn_callback_entry {
+@@ -141,11 +114,6 @@ struct cn_callback_entry {
  	u32 seq, group;
  };
  

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny3	Fri Feb  5 03:30:28 2010	(r15128)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny3	Fri Feb  5 03:47:33 2010	(r15129)
@@ -2,3 +2,4 @@
 + bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch
 + bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch
 + bugfix/x86/kvm-pit-control-word-is-write-only.patch
++ bugfix/all/connector-delete-buggy-notification-code.patch

