[kernel] r14956 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Wed Jan 20 01:06:17 UTC 2010 

Author: benh
Date: Wed Jan 20 01:06:11 2010
New Revision: 14956

Log:
Apply relevant fixes from 2.6.27.44

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-braindamage-in-audit_tree.c-untag_chunk.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-more-leaks-in-audit_tree.c-tag_chunk.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/22

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Tue Jan 19 16:33:01 2010	(r14955)
+++ dists/lenny/linux-2.6/debian/changelog	Wed Jan 20 01:06:11 2010	(r14956)
@@ -15,6 +15,12 @@
   * x86: Increase MIN_GAP to include randomized stack (Closes: #559035)
   * bnx2: Add PCI IDs for Broadcom 5716 and 5716S (Closes: #565353)
   * bnx2: Apply various upstream bug fixes
+  * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+    (CVE-2010-0003)
+  * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
+  * audit: Fix memory management bugs (Closes: #562815)
+    - fix braindamage in audit_tree.c untag_chunk()
+    - fix more leaks in audit_tree.c tag_chunk()
 
  -- maximilian attems <maks at debian.org>  Mon, 28 Dec 2009 23:44:19 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-braindamage-in-audit_tree.c-untag_chunk.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-braindamage-in-audit_tree.c-untag_chunk.patch	Wed Jan 20 01:06:11 2010	(r14956)
@@ -0,0 +1,61 @@
+From 0ad8dbec4622c3eef0abe019b9f036ff6a12f277 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Sat, 19 Dec 2009 15:59:45 +0000
+Subject: [PATCH] fix braindamage in audit_tree.c untag_chunk()
+
+commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream.
+
+... aka "Al had badly fscked up when writing that thing and nobody
+noticed until Eric had fixed leaks that used to mask the breakage".
+
+The function essentially creates a copy of old array sans one element
+and replaces the references to elements of original (they are on cyclic
+lists) with those to corresponding elements of new one.  After that the
+old one is fair game for freeing.
+
+First of all, there's a dumb braino: when we get to list_replace_init we
+use indices for wrong arrays - position in new one with the old array
+and vice versa.
+
+Another bug is more subtle - termination condition is wrong if the
+element to be excluded happens to be the last one.  We shouldn't go
+until we fill the new array, we should go until we'd finished the old
+one.  Otherwise the element we are trying to kill will remain on the
+cyclic lists...
+
+That crap used to be masked by several leaks, so it was not quite
+trivial to hit.  Eric had fixed some of those leaks a while ago and the
+shit had hit the fan...
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ kernel/audit_tree.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
+index 894b599..053ab6c 100644
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -276,7 +276,7 @@ static void untag_chunk(struct node *p)
+ 		owner->root = NULL;
+ 	}
+ 
+-	for (i = j = 0; i < size; i++, j++) {
++	for (i = j = 0; j <= size; i++, j++) {
+ 		struct audit_tree *s;
+ 		if (&chunk->owners[j] == p) {
+ 			list_del_init(&p->list);
+@@ -289,7 +289,7 @@ static void untag_chunk(struct node *p)
+ 		if (!s) /* result of earlier fallback */
+ 			continue;
+ 		get_tree(s);
+-		list_replace_init(&chunk->owners[i].list, &new->owners[j].list);
++		list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
+ 	}
+ 
+ 	list_replace_rcu(&chunk->hash, &new->hash);
+-- 
+1.6.6
+

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-more-leaks-in-audit_tree.c-tag_chunk.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-more-leaks-in-audit_tree.c-tag_chunk.patch	Wed Jan 20 01:06:11 2010	(r14956)
@@ -0,0 +1,55 @@
+From 6f5195525e548d474a77ce00baa927e5c7ed6976 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Sat, 19 Dec 2009 16:03:30 +0000
+Subject: [PATCH] fix more leaks in audit_tree.c tag_chunk()
+
+commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream.
+
+Several leaks in audit_tree didn't get caught by commit
+318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal
+exit in case of multiple rules refering to the same chunk.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ kernel/audit_tree.c |    9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
+index 053ab6c..ef96b29 100644
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -372,15 +372,17 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
+ 	for (n = 0; n < old->count; n++) {
+ 		if (old->owners[n].owner == tree) {
+ 			spin_unlock(&hash_lock);
+-			put_inotify_watch(watch);
++			put_inotify_watch(&old->watch);
+ 			return 0;
+ 		}
+ 	}
+ 	spin_unlock(&hash_lock);
+ 
+ 	chunk = alloc_chunk(old->count + 1);
+-	if (!chunk)
++	if (!chunk) {
++		put_inotify_watch(&old->watch);
+ 		return -ENOMEM;
++	}
+ 
+ 	mutex_lock(&inode->inotify_mutex);
+ 	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
+@@ -422,7 +424,8 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
+ 	spin_unlock(&hash_lock);
+ 	inotify_evict_watch(&old->watch);
+ 	mutex_unlock(&inode->inotify_mutex);
+-	put_inotify_watch(&old->watch);
++	put_inotify_watch(&old->watch); /* pair to inotify_find_watch */
++	put_inotify_watch(&old->watch); /* and kill it */
+ 	return 0;
+ }
+ 
+-- 
+1.6.6
+

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch	Wed Jan 20 01:06:11 2010	(r14956)
@@ -0,0 +1,47 @@
+From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal at astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/bridge/netfilter/ebtables.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 32afff8..d6beca9 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ 	int ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	switch(cmd) {
+ 	case EBT_SO_SET_ENTRIES:
+ 		ret = do_replace(user, len);
+@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ 	struct ebt_replace tmp;
+ 	struct ebt_table *t;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (copy_from_user(&tmp, user, sizeof(tmp)))
+ 		return -EFAULT;
+ 
+-- 
+1.6.6
+

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch	Wed Jan 20 01:06:11 2010	(r14956)
@@ -0,0 +1,52 @@
+From e3f94f64a91768da5b136b22dc5faa2447ec2ac8 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <andi at firstfloor.org>
+Date: Fri, 8 Jan 2010 14:42:52 -0800
+Subject: [PATCH] kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+
+commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.
+
+When print-fatal-signals is enabled it's possible to dump any memory
+reachable by the kernel to the log by simply jumping to that address from
+user space.
+
+Or crash the system if there's some hardware with read side effects.
+
+The fatal signals handler will dump 16 bytes at the execution address,
+which is fully controlled by ring 3.
+
+In addition when something jumps to a unmapped address there will be up to
+16 additional useless page faults, which might be potentially slow (and at
+least is not very efficient)
+
+Fortunately this option is off by default and only there on i386.
+
+But fix it by checking for kernel addresses and also stopping when there's
+a page fault.
+
+Signed-off-by: Andi Kleen <ak at linux.intel.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ kernel/signal.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index de2b649..efcdc95 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt_regs *regs, int signr)
+ 		for (i = 0; i < 16; i++) {
+ 			unsigned char insn;
+ 
+-			__get_user(insn, (unsigned char *)(regs->ip + i));
++			if (get_user(insn, (unsigned char *)(regs->ip + i)))
++				break;
+ 			printk("%02x ", insn);
+ 		}
+ 	}
+-- 
+1.6.6
+

Modified: dists/lenny/linux-2.6/debian/patches/series/22
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/22	Tue Jan 19 16:33:01 2010	(r14955)
+++ dists/lenny/linux-2.6/debian/patches/series/22	Wed Jan 20 01:06:11 2010	(r14956)
@@ -11,3 +11,7 @@
 + bugfix/all/bnx2-Prevent-ethtool-s-from-crashing-when-device-is-down.patch
 + bugfix/all/bnx2-Restrict-WoL-support.patch
 + bugfix/all/bnx2-Fix-panic-in-bnx2_poll_work.patch
++ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
++ bugfix/all/fix-braindamage-in-audit_tree.c-untag_chunk.patch
++ bugfix/all/fix-more-leaks-in-audit_tree.c-tag_chunk.patch

More information about the Kernel-svn-changes mailing list