[kernel] r15153 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Feb 14 20:37:22 UTC 2010 

Author: dannf
Date: Sun Feb 14 20:33:53 2010
New Revision: 15153

Log:
connector: Delete buggy notification code. (CVE-2010-0410)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Sun Feb 14 19:52:18 2010	(r15152)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Sun Feb 14 20:33:53 2010	(r15153)
@@ -23,6 +23,7 @@
   * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
   * Fix several issues with mmap/mremap (CVE-2010-0291)
   * futex: Handle user space corruption gracefully (CVE-2010-0622)
+  * connector: Delete buggy notification code. (CVE-2010-0410)
 
  -- dann frazier <dannf at debian.org>  Sun, 31 Jan 2010 17:17:52 -0700
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch	Sun Feb 14 20:33:53 2010	(r15153)
@@ -0,0 +1,296 @@
+commit e09c72e130336696c983ab00e042b21abfc27d75
+Author: dann frazier <dannf at hp.com>
+Date:   Sun Feb 14 12:54:46 2010 -0700
+
+    connector: Delete buggy notification code.
+    
+    commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream
+
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index bf9716b..2b72d17 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -34,17 +34,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Evgeniy Polyakov <johnpol at 2ka.mipt.ru>");
+ MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
+ 
+-static u32 cn_idx = CN_IDX_CONNECTOR;
+-static u32 cn_val = CN_VAL_CONNECTOR;
+-
+-module_param(cn_idx, uint, 0);
+-module_param(cn_val, uint, 0);
+-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
+-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
+-
+-static DEFINE_MUTEX(notify_lock);
+-static LIST_HEAD(notify_list);
+-
+ static struct cn_dev cdev;
+ 
+ int cn_already_initialized = 0;
+@@ -234,54 +223,6 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ }
+ 
+ /*
+- * Notification routing.
+- *
+- * Gets id and checks if there are notification request for it's idx
+- * and val.  If there are such requests notify the listeners with the
+- * given notify event.
+- *
+- */
+-static void cn_notify(struct cb_id *id, u32 notify_event)
+-{
+-	struct cn_ctl_entry *ent;
+-
+-	mutex_lock(&notify_lock);
+-	list_for_each_entry(ent, &notify_list, notify_entry) {
+-		int i;
+-		struct cn_notify_req *req;
+-		struct cn_ctl_msg *ctl = ent->msg;
+-		int idx_found, val_found;
+-
+-		idx_found = val_found = 0;
+-
+-		req = (struct cn_notify_req *)ctl->data;
+-		for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
+-			if (id->idx >= req->first && 
+-					id->idx < req->first + req->range) {
+-				idx_found = 1;
+-				break;
+-			}
+-		}
+-
+-		for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
+-			if (id->val >= req->first && 
+-					id->val < req->first + req->range) {
+-				val_found = 1;
+-				break;
+-			}
+-		}
+-
+-		if (idx_found && val_found) {
+-			struct cn_msg m = { .ack = notify_event, };
+-
+-			memcpy(&m.id, id, sizeof(m.id));
+-			cn_netlink_send(&m, ctl->group, GFP_KERNEL);
+-		}
+-	}
+-	mutex_unlock(&notify_lock);
+-}
+-
+-/*
+  * Callback add routing - adds callback with given ID and name.
+  * If there is registered callback with the same ID it will not be added.
+  *
+@@ -299,8 +240,6 @@ int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
+ 	if (err)
+ 		return err;
+ 
+-	cn_notify(id, 0);
+-
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(cn_add_callback);
+@@ -318,120 +257,14 @@ void cn_del_callback(struct cb_id *id)
+ 	struct cn_dev *dev = &cdev;
+ 
+ 	cn_queue_del_callback(dev->cbdev, id);
+-	cn_notify(id, 1);
+ }
+ EXPORT_SYMBOL_GPL(cn_del_callback);
+ 
+-/*
+- * Checks two connector's control messages to be the same.
+- * Returns 1 if they are the same or if the first one is corrupted.
+- */
+-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
+-{
+-	int i;
+-	struct cn_notify_req *req1, *req2;
+-
+-	if (m1->idx_notify_num != m2->idx_notify_num)
+-		return 0;
+-
+-	if (m1->val_notify_num != m2->val_notify_num)
+-		return 0;
+-
+-	if (m1->len != m2->len)
+-		return 0;
+-
+-	if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
+-	    m1->len)
+-		return 1;
+-
+-	req1 = (struct cn_notify_req *)m1->data;
+-	req2 = (struct cn_notify_req *)m2->data;
+-
+-	for (i = 0; i < m1->idx_notify_num; ++i) {
+-		if (req1->first != req2->first || req1->range != req2->range)
+-			return 0;
+-		req1++;
+-		req2++;
+-	}
+-
+-	for (i = 0; i < m1->val_notify_num; ++i) {
+-		if (req1->first != req2->first || req1->range != req2->range)
+-			return 0;
+-		req1++;
+-		req2++;
+-	}
+-
+-	return 1;
+-}
+-
+-/*
+- * Main connector device's callback.
+- *
+- * Used for notification of a request's processing.
+- */
+-static void cn_callback(void *data)
+-{
+-	struct cn_msg *msg = data;
+-	struct cn_ctl_msg *ctl;
+-	struct cn_ctl_entry *ent;
+-	u32 size;
+-
+-	if (msg->len < sizeof(*ctl))
+-		return;
+-
+-	ctl = (struct cn_ctl_msg *)msg->data;
+-
+-	size = (sizeof(*ctl) + ((ctl->idx_notify_num +
+-				 ctl->val_notify_num) *
+-				sizeof(struct cn_notify_req)));
+-
+-	if (msg->len != size)
+-		return;
+-
+-	if (ctl->len + sizeof(*ctl) != msg->len)
+-		return;
+-
+-	/*
+-	 * Remove notification.
+-	 */
+-	if (ctl->group == 0) {
+-		struct cn_ctl_entry *n;
+-
+-		mutex_lock(&notify_lock);
+-		list_for_each_entry_safe(ent, n, &notify_list, notify_entry) {
+-			if (cn_ctl_msg_equals(ent->msg, ctl)) {
+-				list_del(&ent->notify_entry);
+-				kfree(ent);
+-			}
+-		}
+-		mutex_unlock(&notify_lock);
+-
+-		return;
+-	}
+-
+-	size += sizeof(*ent);
+-
+-	ent = kzalloc(size, GFP_KERNEL);
+-	if (!ent)
+-		return;
+-
+-	ent->msg = (struct cn_ctl_msg *)(ent + 1);
+-
+-	memcpy(ent->msg, ctl, size - sizeof(*ent));
+-
+-	mutex_lock(&notify_lock);
+-	list_add(&ent->notify_entry, &notify_list);
+-	mutex_unlock(&notify_lock);
+-}
+-
+ static int __devinit cn_init(void)
+ {
+ 	struct cn_dev *dev = &cdev;
+-	int err;
+ 
+ 	dev->input = cn_rx_skb;
+-	dev->id.idx = cn_idx;
+-	dev->id.val = cn_val;
+ 
+ 	dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR,
+ 					 CN_NETLINK_USERS + 0xf,
+@@ -448,15 +281,6 @@ static int __devinit cn_init(void)
+ 	
+ 	cn_already_initialized = 1;
+ 
+-	err = cn_add_callback(&dev->id, "connector", &cn_callback);
+-	if (err) {
+-		cn_already_initialized = 0;
+-		cn_queue_free_dev(dev->cbdev);
+-		if (dev->nls->sk_socket)
+-			sock_release(dev->nls->sk_socket);
+-		return -EINVAL;
+-	}
+-
+ 	return 0;
+ }
+ 
+@@ -466,7 +290,6 @@ static void __devexit cn_fini(void)
+ 
+ 	cn_already_initialized = 0;
+ 
+-	cn_del_callback(&dev->id);
+ 	cn_queue_free_dev(dev->cbdev);
+ 	if (dev->nls->sk_socket)
+ 		sock_release(dev->nls->sk_socket);
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 13fc454..632c608 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -24,9 +24,6 @@
+ 
+ #include <asm/types.h>
+ 
+-#define CN_IDX_CONNECTOR		0xffffffff
+-#define CN_VAL_CONNECTOR		0xffffffff
+-
+ /*
+  * Process Events connector unique ids -- used for message routing
+  */
+@@ -68,30 +65,6 @@ struct cn_msg {
+ 	__u8 data[0];
+ };
+ 
+-/*
+- * Notify structure - requests notification about
+- * registering/unregistering idx/val in range [first, first+range].
+- */
+-struct cn_notify_req {
+-	__u32 first;
+-	__u32 range;
+-};
+-
+-/*
+- * Main notification control message
+- * *_notify_num 	- number of appropriate cn_notify_req structures after 
+- *				this struct.
+- * group 		- notification receiver's idx.
+- * len 			- total length of the attached data.
+- */
+-struct cn_ctl_msg {
+-	__u32 idx_notify_num;
+-	__u32 val_notify_num;
+-	__u32 group;
+-	__u32 len;
+-	__u8 data[0];
+-};
+-
+ #ifdef __KERNEL__
+ 
+ #include <asm/atomic.h>
+@@ -144,11 +117,6 @@ struct cn_callback_entry {
+ 	struct sock *nls;
+ };
+ 
+-struct cn_ctl_entry {
+-	struct list_head notify_entry;
+-	struct cn_ctl_msg *msg;
+-};
+-
+ struct cn_dev {
+ 	struct cb_id id;
+ 

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Sun Feb 14 19:52:18 2010	(r15152)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Sun Feb 14 20:33:53 2010	(r15153)
@@ -19,3 +19,4 @@
 + bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
 + bugfix/all/untangle-the-do_mremap-mess.patch
 + bugfix/all/futex-handle-user-space-corruption-gracefully.patch
++ bugfix/all/connector-delete-buggy-notification-code.patch

More information about the Kernel-svn-changes mailing list