[kernel] r15153 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Feb 14 20:37:22 UTC 2010
Author: dannf
Date: Sun Feb 14 20:33:53 2010
New Revision: 15153
Log:
connector: Delete buggy notification code. (CVE-2010-0410)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Sun Feb 14 19:52:18 2010 (r15152)
+++ dists/etch-security/linux-2.6.24/debian/changelog Sun Feb 14 20:33:53 2010 (r15153)
@@ -23,6 +23,7 @@
* netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
* Fix several issues with mmap/mremap (CVE-2010-0291)
* futex: Handle user space corruption gracefully (CVE-2010-0622)
+ * connector: Delete buggy notification code. (CVE-2010-0410)
-- dann frazier <dannf at debian.org> Sun, 31 Jan 2010 17:17:52 -0700
Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch Sun Feb 14 20:33:53 2010 (r15153)
@@ -0,0 +1,296 @@
+commit e09c72e130336696c983ab00e042b21abfc27d75
+Author: dann frazier <dannf at hp.com>
+Date: Sun Feb 14 12:54:46 2010 -0700
+
+ connector: Delete buggy notification code.
+
+ commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream
+
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index bf9716b..2b72d17 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -34,17 +34,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Evgeniy Polyakov <johnpol at 2ka.mipt.ru>");
+ MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
+
+-static u32 cn_idx = CN_IDX_CONNECTOR;
+-static u32 cn_val = CN_VAL_CONNECTOR;
+-
+-module_param(cn_idx, uint, 0);
+-module_param(cn_val, uint, 0);
+-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
+-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
+-
+-static DEFINE_MUTEX(notify_lock);
+-static LIST_HEAD(notify_list);
+-
+ static struct cn_dev cdev;
+
+ int cn_already_initialized = 0;
+@@ -234,54 +223,6 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ }
+
+ /*
+- * Notification routing.
+- *
+- * Gets id and checks if there are notification request for it's idx
+- * and val. If there are such requests notify the listeners with the
+- * given notify event.
+- *
+- */
+-static void cn_notify(struct cb_id *id, u32 notify_event)
+-{
+- struct cn_ctl_entry *ent;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry(ent, ¬ify_list, notify_entry) {
+- int i;
+- struct cn_notify_req *req;
+- struct cn_ctl_msg *ctl = ent->msg;
+- int idx_found, val_found;
+-
+- idx_found = val_found = 0;
+-
+- req = (struct cn_notify_req *)ctl->data;
+- for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
+- if (id->idx >= req->first &&
+- id->idx < req->first + req->range) {
+- idx_found = 1;
+- break;
+- }
+- }
+-
+- for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
+- if (id->val >= req->first &&
+- id->val < req->first + req->range) {
+- val_found = 1;
+- break;
+- }
+- }
+-
+- if (idx_found && val_found) {
+- struct cn_msg m = { .ack = notify_event, };
+-
+- memcpy(&m.id, id, sizeof(m.id));
+- cn_netlink_send(&m, ctl->group, GFP_KERNEL);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-}
+-
+-/*
+ * Callback add routing - adds callback with given ID and name.
+ * If there is registered callback with the same ID it will not be added.
+ *
+@@ -299,8 +240,6 @@ int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
+ if (err)
+ return err;
+
+- cn_notify(id, 0);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(cn_add_callback);
+@@ -318,120 +257,14 @@ void cn_del_callback(struct cb_id *id)
+ struct cn_dev *dev = &cdev;
+
+ cn_queue_del_callback(dev->cbdev, id);
+- cn_notify(id, 1);
+ }
+ EXPORT_SYMBOL_GPL(cn_del_callback);
+
+-/*
+- * Checks two connector's control messages to be the same.
+- * Returns 1 if they are the same or if the first one is corrupted.
+- */
+-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
+-{
+- int i;
+- struct cn_notify_req *req1, *req2;
+-
+- if (m1->idx_notify_num != m2->idx_notify_num)
+- return 0;
+-
+- if (m1->val_notify_num != m2->val_notify_num)
+- return 0;
+-
+- if (m1->len != m2->len)
+- return 0;
+-
+- if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
+- m1->len)
+- return 1;
+-
+- req1 = (struct cn_notify_req *)m1->data;
+- req2 = (struct cn_notify_req *)m2->data;
+-
+- for (i = 0; i < m1->idx_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- for (i = 0; i < m1->val_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- return 1;
+-}
+-
+-/*
+- * Main connector device's callback.
+- *
+- * Used for notification of a request's processing.
+- */
+-static void cn_callback(void *data)
+-{
+- struct cn_msg *msg = data;
+- struct cn_ctl_msg *ctl;
+- struct cn_ctl_entry *ent;
+- u32 size;
+-
+- if (msg->len < sizeof(*ctl))
+- return;
+-
+- ctl = (struct cn_ctl_msg *)msg->data;
+-
+- size = (sizeof(*ctl) + ((ctl->idx_notify_num +
+- ctl->val_notify_num) *
+- sizeof(struct cn_notify_req)));
+-
+- if (msg->len != size)
+- return;
+-
+- if (ctl->len + sizeof(*ctl) != msg->len)
+- return;
+-
+- /*
+- * Remove notification.
+- */
+- if (ctl->group == 0) {
+- struct cn_ctl_entry *n;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry_safe(ent, n, ¬ify_list, notify_entry) {
+- if (cn_ctl_msg_equals(ent->msg, ctl)) {
+- list_del(&ent->notify_entry);
+- kfree(ent);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-
+- return;
+- }
+-
+- size += sizeof(*ent);
+-
+- ent = kzalloc(size, GFP_KERNEL);
+- if (!ent)
+- return;
+-
+- ent->msg = (struct cn_ctl_msg *)(ent + 1);
+-
+- memcpy(ent->msg, ctl, size - sizeof(*ent));
+-
+- mutex_lock(¬ify_lock);
+- list_add(&ent->notify_entry, ¬ify_list);
+- mutex_unlock(¬ify_lock);
+-}
+-
+ static int __devinit cn_init(void)
+ {
+ struct cn_dev *dev = &cdev;
+- int err;
+
+ dev->input = cn_rx_skb;
+- dev->id.idx = cn_idx;
+- dev->id.val = cn_val;
+
+ dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR,
+ CN_NETLINK_USERS + 0xf,
+@@ -448,15 +281,6 @@ static int __devinit cn_init(void)
+
+ cn_already_initialized = 1;
+
+- err = cn_add_callback(&dev->id, "connector", &cn_callback);
+- if (err) {
+- cn_already_initialized = 0;
+- cn_queue_free_dev(dev->cbdev);
+- if (dev->nls->sk_socket)
+- sock_release(dev->nls->sk_socket);
+- return -EINVAL;
+- }
+-
+ return 0;
+ }
+
+@@ -466,7 +290,6 @@ static void __devexit cn_fini(void)
+
+ cn_already_initialized = 0;
+
+- cn_del_callback(&dev->id);
+ cn_queue_free_dev(dev->cbdev);
+ if (dev->nls->sk_socket)
+ sock_release(dev->nls->sk_socket);
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 13fc454..632c608 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -24,9 +24,6 @@
+
+ #include <asm/types.h>
+
+-#define CN_IDX_CONNECTOR 0xffffffff
+-#define CN_VAL_CONNECTOR 0xffffffff
+-
+ /*
+ * Process Events connector unique ids -- used for message routing
+ */
+@@ -68,30 +65,6 @@ struct cn_msg {
+ __u8 data[0];
+ };
+
+-/*
+- * Notify structure - requests notification about
+- * registering/unregistering idx/val in range [first, first+range].
+- */
+-struct cn_notify_req {
+- __u32 first;
+- __u32 range;
+-};
+-
+-/*
+- * Main notification control message
+- * *_notify_num - number of appropriate cn_notify_req structures after
+- * this struct.
+- * group - notification receiver's idx.
+- * len - total length of the attached data.
+- */
+-struct cn_ctl_msg {
+- __u32 idx_notify_num;
+- __u32 val_notify_num;
+- __u32 group;
+- __u32 len;
+- __u8 data[0];
+-};
+-
+ #ifdef __KERNEL__
+
+ #include <asm/atomic.h>
+@@ -144,11 +117,6 @@ struct cn_callback_entry {
+ struct sock *nls;
+ };
+
+-struct cn_ctl_entry {
+- struct list_head notify_entry;
+- struct cn_ctl_msg *msg;
+-};
+-
+ struct cn_dev {
+ struct cb_id id;
+
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2 Sun Feb 14 19:52:18 2010 (r15152)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2 Sun Feb 14 20:33:53 2010 (r15153)
@@ -19,3 +19,4 @@
+ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
+ bugfix/all/untangle-the-do_mremap-mess.patch
+ bugfix/all/futex-handle-user-space-corruption-gracefully.patch
++ bugfix/all/connector-delete-buggy-notification-code.patch
More information about the Kernel-svn-changes
mailing list