[kernel] r15169 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Feb 16 04:35:25 UTC 2010 

Author: dannf
Date: Tue Feb 16 04:35:21 2010
New Revision: 15169

Log:
connector: Delete buggy notification code. (CVE-2010-0410)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/26etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 04:29:00 2010	(r15168)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 04:35:21 2010	(r15169)
@@ -8,6 +8,7 @@
   * fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
   * e1000: enhance frame fragment detection (CVE-2009-4536)
   * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
+  * connector: Delete buggy notification code. (CVE-2010-0410)
 
  -- dann frazier <dannf at debian.org>  Mon, 15 Feb 2010 18:32:14 -0700
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch	Tue Feb 16 04:35:21 2010	(r15169)
@@ -0,0 +1,305 @@
+commit dd8dccbf54c176cccd5dc199e89ab30df5fd5d70
+Author: dann frazier <dannf at hp.com>
+Date:   Mon Feb 15 21:33:14 2010 -0700
+
+    [Adjusted to apply to Debian's 2.6.18]
+    commit e09c72e130336696c983ab00e042b21abfc27d75
+    Author: dann frazier <dannf at hp.com>
+    Date:   Sun Feb 14 12:54:46 2010 -0700
+    
+        connector: Delete buggy notification code.
+
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index b49bacf..fb678da 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -1,4 +1,4 @@
+-/*
++o/*
+  * 	connector.c
+  * 
+  * 2004-2005 Copyright (c) Evgeniy Polyakov <johnpol at 2ka.mipt.ru>
+@@ -34,17 +34,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Evgeniy Polyakov <johnpol at 2ka.mipt.ru>");
+ MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
+ 
+-static u32 cn_idx = CN_IDX_CONNECTOR;
+-static u32 cn_val = CN_VAL_CONNECTOR;
+-
+-module_param(cn_idx, uint, 0);
+-module_param(cn_val, uint, 0);
+-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
+-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
+-
+-static DEFINE_MUTEX(notify_lock);
+-static LIST_HEAD(notify_list);
+-
+ static struct cn_dev cdev;
+ 
+ int cn_already_initialized = 0;
+@@ -251,54 +240,6 @@ static void cn_input(struct sock *sk, int len)
+ }
+ 
+ /*
+- * Notification routing.
+- *
+- * Gets id and checks if there are notification request for it's idx
+- * and val.  If there are such requests notify the listeners with the
+- * given notify event.
+- *
+- */
+-static void cn_notify(struct cb_id *id, u32 notify_event)
+-{
+-	struct cn_ctl_entry *ent;
+-
+-	mutex_lock(&notify_lock);
+-	list_for_each_entry(ent, &notify_list, notify_entry) {
+-		int i;
+-		struct cn_notify_req *req;
+-		struct cn_ctl_msg *ctl = ent->msg;
+-		int idx_found, val_found;
+-
+-		idx_found = val_found = 0;
+-
+-		req = (struct cn_notify_req *)ctl->data;
+-		for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
+-			if (id->idx >= req->first && 
+-					id->idx < req->first + req->range) {
+-				idx_found = 1;
+-				break;
+-			}
+-		}
+-
+-		for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
+-			if (id->val >= req->first && 
+-					id->val < req->first + req->range) {
+-				val_found = 1;
+-				break;
+-			}
+-		}
+-
+-		if (idx_found && val_found) {
+-			struct cn_msg m = { .ack = notify_event, };
+-
+-			memcpy(&m.id, id, sizeof(m.id));
+-			cn_netlink_send(&m, ctl->group, GFP_KERNEL);
+-		}
+-	}
+-	mutex_unlock(&notify_lock);
+-}
+-
+-/*
+  * Callback add routing - adds callback with given ID and name.
+  * If there is registered callback with the same ID it will not be added.
+  *
+@@ -316,8 +257,6 @@ int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
+ 	if (err)
+ 		return err;
+ 
+-	cn_notify(id, 0);
+-
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(cn_add_callback);
+@@ -335,120 +274,13 @@ void cn_del_callback(struct cb_id *id)
+ 	struct cn_dev *dev = &cdev;
+ 
+ 	cn_queue_del_callback(dev->cbdev, id);
+-	cn_notify(id, 1);
+-}
+-EXPORT_SYMBOL_GPL(cn_del_callback);
+-
+-/*
+- * Checks two connector's control messages to be the same.
+- * Returns 1 if they are the same or if the first one is corrupted.
+- */
+-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
+-{
+-	int i;
+-	struct cn_notify_req *req1, *req2;
+-
+-	if (m1->idx_notify_num != m2->idx_notify_num)
+-		return 0;
+-
+-	if (m1->val_notify_num != m2->val_notify_num)
+-		return 0;
+-
+-	if (m1->len != m2->len)
+-		return 0;
+-
+-	if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
+-	    m1->len)
+-		return 1;
+-
+-	req1 = (struct cn_notify_req *)m1->data;
+-	req2 = (struct cn_notify_req *)m2->data;
+-
+-	for (i = 0; i < m1->idx_notify_num; ++i) {
+-		if (req1->first != req2->first || req1->range != req2->range)
+-			return 0;
+-		req1++;
+-		req2++;
+-	}
+-
+-	for (i = 0; i < m1->val_notify_num; ++i) {
+-		if (req1->first != req2->first || req1->range != req2->range)
+-			return 0;
+-		req1++;
+-		req2++;
+-	}
+-
+-	return 1;
+-}
+-
+-/*
+- * Main connector device's callback.
+- *
+- * Used for notification of a request's processing.
+- */
+-static void cn_callback(void *data)
+-{
+-	struct cn_msg *msg = data;
+-	struct cn_ctl_msg *ctl;
+-	struct cn_ctl_entry *ent;
+-	u32 size;
+-
+-	if (msg->len < sizeof(*ctl))
+-		return;
+-
+-	ctl = (struct cn_ctl_msg *)msg->data;
+-
+-	size = (sizeof(*ctl) + ((ctl->idx_notify_num +
+-				 ctl->val_notify_num) *
+-				sizeof(struct cn_notify_req)));
+-
+-	if (msg->len != size)
+-		return;
+-
+-	if (ctl->len + sizeof(*ctl) != msg->len)
+-		return;
+-
+-	/*
+-	 * Remove notification.
+-	 */
+-	if (ctl->group == 0) {
+-		struct cn_ctl_entry *n;
+-
+-		mutex_lock(&notify_lock);
+-		list_for_each_entry_safe(ent, n, &notify_list, notify_entry) {
+-			if (cn_ctl_msg_equals(ent->msg, ctl)) {
+-				list_del(&ent->notify_entry);
+-				kfree(ent);
+-			}
+-		}
+-		mutex_unlock(&notify_lock);
+-
+-		return;
+-	}
+-
+-	size += sizeof(*ent);
+-
+-	ent = kzalloc(size, GFP_KERNEL);
+-	if (!ent)
+-		return;
+-
+-	ent->msg = (struct cn_ctl_msg *)(ent + 1);
+-
+-	memcpy(ent->msg, ctl, size - sizeof(*ent));
+-
+-	mutex_lock(&notify_lock);
+-	list_add(&ent->notify_entry, &notify_list);
+-	mutex_unlock(&notify_lock);
+ }
+ 
+ static int __devinit cn_init(void)
+ {
+ 	struct cn_dev *dev = &cdev;
+-	int err;
+ 
+ 	dev->input = cn_input;
+-	dev->id.idx = cn_idx;
+-	dev->id.val = cn_val;
+ 
+ 	dev->nls = netlink_kernel_create(NETLINK_CONNECTOR,
+ 					 CN_NETLINK_USERS + 0xf,
+@@ -465,15 +297,6 @@ static int __devinit cn_init(void)
+ 	
+ 	cn_already_initialized = 1;
+ 
+-	err = cn_add_callback(&dev->id, "connector", &cn_callback);
+-	if (err) {
+-		cn_already_initialized = 0;
+-		cn_queue_free_dev(dev->cbdev);
+-		if (dev->nls->sk_socket)
+-			sock_release(dev->nls->sk_socket);
+-		return -EINVAL;
+-	}
+-
+ 	return 0;
+ }
+ 
+@@ -483,7 +306,6 @@ static void __devexit cn_fini(void)
+ 
+ 	cn_already_initialized = 0;
+ 
+-	cn_del_callback(&dev->id);
+ 	cn_queue_free_dev(dev->cbdev);
+ 	if (dev->nls->sk_socket)
+ 		sock_release(dev->nls->sk_socket);
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 4c02119..1253483 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -24,9 +24,6 @@
+ 
+ #include <asm/types.h>
+ 
+-#define CN_IDX_CONNECTOR		0xffffffff
+-#define CN_VAL_CONNECTOR		0xffffffff
+-
+ /*
+  * Process Events connector unique ids -- used for message routing
+  */
+@@ -67,30 +64,6 @@ struct cn_msg {
+ 	__u8 data[0];
+ };
+ 
+-/*
+- * Notify structure - requests notification about
+- * registering/unregistering idx/val in range [first, first+range].
+- */
+-struct cn_notify_req {
+-	__u32 first;
+-	__u32 range;
+-};
+-
+-/*
+- * Main notification control message
+- * *_notify_num 	- number of appropriate cn_notify_req structures after 
+- *				this struct.
+- * group 		- notification receiver's idx.
+- * len 			- total length of the attached data.
+- */
+-struct cn_ctl_msg {
+-	__u32 idx_notify_num;
+-	__u32 val_notify_num;
+-	__u32 group;
+-	__u32 len;
+-	__u8 data[0];
+-};
+-
+ #ifdef __KERNEL__
+ 
+ #include <asm/atomic.h>
+@@ -143,11 +116,6 @@ struct cn_callback_entry {
+ 	struct sock *nls;
+ };
+ 
+-struct cn_ctl_entry {
+-	struct list_head notify_entry;
+-	struct cn_ctl_msg *msg;
+-};
+-
+ struct cn_dev {
+ 	struct cb_id id;
+ 

Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 04:29:00 2010	(r15168)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 04:35:21 2010	(r15169)
@@ -5,3 +5,4 @@
 + bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch
 + bugfix/all/e1000-enhance-frame-fragment-detection.patch
 + bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
++ bugfix/all/connector-delete-buggy-notification-code.patch

More information about the Kernel-svn-changes mailing list