[kernel] r15339 - in dists/lenny-security/linux-2.6/debian: . config patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Mar 9 16:12:05 UTC 2010
Author: dannf
Date: Tue Mar 9 16:11:51 2010
New Revision: 15339
Log:
uvesafb/connector: prevent unprivileged users from sending netlink packets
(CVE-2009-3725)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/config/defines
dists/lenny-security/linux-2.6/debian/patches/series/21lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Mar 9 04:11:56 2010 (r15338)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Mar 9 16:11:51 2010 (r15339)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.26-21lenny4) UNRELEASED; urgency=low
+linux-2.6 (2.6.26-21lenny4) UNRELEASED; urgency=high
[ dann frazier ]
* futex: Handle user space corruption gracefully (CVE-2010-0622)
@@ -6,6 +6,8 @@
* x86: set_personality_ia32() misses force_personality32, an additional
fix for CVE-2010-0307
* Replace fix for CVE-2009-2691 w/ upstreamed version (Closes: #570554)
+ * uvesafb/connector: prevent unprivileged users from sending netlink packets
+ (CVE-2009-3725)
[ Ben Hutchings ]
* [xen][i386] Fix kernel logging via userspace (Closes: #568561)
Modified: dists/lenny-security/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny-security/linux-2.6/debian/config/defines Tue Mar 9 04:11:56 2010 (r15338)
+++ dists/lenny-security/linux-2.6/debian/config/defines Tue Mar 9 16:11:51 2010 (r15339)
@@ -1,6 +1,6 @@
[abi]
abiname: 2
-ignore-changes: gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs
+ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs
[base]
arches:
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch Tue Mar 9 16:11:51 2010 (r15339)
@@ -0,0 +1,99 @@
+From 8b52ce7ee12f81e584405185bf60ff859fce74e5 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:18:08 -0700
+Subject: [PATCH 1/4] add 2.6.31.5/connector-keep-the-skb-in-cn_callback_data.patch
+
+---
+ drivers/connector/cn_queue.c | 3 ++-
+ drivers/connector/connector.c | 11 +++++------
+ include/linux/connector.h | 6 +++---
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index b6fe7e7..e3cf1d9 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -36,8 +36,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ struct cn_callback_entry *cbq =
+ container_of(work, struct cn_callback_entry, work);
+ struct cn_callback_data *d = &cbq->data;
++ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
+
+- d->callback(d->callback_priv);
++ d->callback(msg);
+
+ d->destruct_data(d->ddata);
+ d->ddata = NULL;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1d65184..f101295 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,10 +118,11 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+ * Callback helper - queues work and setup destructor for given data.
+ */
+-static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
+ {
+ struct cn_callback_entry *__cbq, *__new_cbq;
+ struct cn_dev *dev = &cdev;
++ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(skb));
+ int err = -ENODEV;
+
+ spin_lock_bh(&dev->cbdev->queue_lock);
+@@ -129,7 +130,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ if (likely(!work_pending(&__cbq->work) &&
+ __cbq->data.ddata == NULL)) {
+- __cbq->data.callback_priv = msg;
++ __cbq->data.skb = skb;
+
+ __cbq->data.ddata = data;
+ __cbq->data.destruct_data = destruct_data;
+@@ -146,7 +147,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ __new_cbq = kzalloc(sizeof(struct cn_callback_entry), GFP_ATOMIC);
+ if (__new_cbq) {
+ d = &__new_cbq->data;
+- d->callback_priv = msg;
++ d->skb = skb;
+ d->callback = __cbq->data.callback;
+ d->ddata = data;
+ d->destruct_data = destruct_data;
+@@ -179,7 +180,6 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ */
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+- struct cn_msg *msg;
+ struct nlmsghdr *nlh;
+ int err;
+ struct sk_buff *skb;
+@@ -196,8 +196,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ return;
+ }
+
+- msg = NLMSG_DATA(nlh);
+- err = cn_call_callback(msg, (void (*)(void *))kfree_skb, skb);
++ err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
+ if (err < 0)
+ kfree_skb(skb);
+ }
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 26502da..7552837 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -96,9 +96,9 @@ struct cn_callback_id {
+ struct cn_callback_data {
+ void (*destruct_data) (void *);
+ void *ddata;
+-
+- void *callback_priv;
+- void (*callback) (void *);
++
++ struct sk_buff *skb;
++ void (*callback) (struct cn_msg *);
+
+ void *free;
+ };
+--
+1.7.0
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch Tue Mar 9 16:11:51 2010 (r15339)
@@ -0,0 +1,189 @@
+From d21956a7f9f7843b9050d3455a0cc9c93c6fa5ee Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:19:29 -0700
+Subject: [PATCH 2/4] add 2.6.31.5/connector-provide-the-sender-s-credentials-to-the-callback.patch
+
+---
+ Documentation/connector/cn_test.c | 4 +---
+ Documentation/connector/connector.txt | 8 ++++----
+ drivers/connector/cn_proc.c | 3 +--
+ drivers/connector/cn_queue.c | 10 +++++++---
+ drivers/connector/connector.c | 3 ++-
+ drivers/video/uvesafb.c | 3 +--
+ drivers/w1/w1_netlink.c | 3 +--
+ include/linux/connector.h | 6 +++---
+ 8 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/Documentation/connector/cn_test.c b/Documentation/connector/cn_test.c
+index be7af14..a7d46cb 100644
+--- a/Documentation/connector/cn_test.c
++++ b/Documentation/connector/cn_test.c
+@@ -32,10 +32,8 @@ static char cn_test_name[] = "cn_test";
+ static struct sock *nls;
+ static struct timer_list cn_test_timer;
+
+-void cn_test_callback(void *data)
++static void cn_test_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = (struct cn_msg *)data;
+-
+ printk("%s: %lu: idx=%x, val=%x, seq=%u, ack=%u, len=%d: %s.\n",
+ __func__, jiffies, msg->id.idx, msg->id.val,
+ msg->seq, msg->ack, msg->len, (char *)msg->data);
+diff --git a/Documentation/connector/connector.txt b/Documentation/connector/connector.txt
+index ad6e0ba..3e6dcc7 100644
+--- a/Documentation/connector/connector.txt
++++ b/Documentation/connector/connector.txt
+@@ -23,7 +23,7 @@ handling... Connector allows any kernelspace agents to use netlink
+ based networking for inter-process communication in a significantly
+ easier way:
+
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_netlink_send(struct cn_msg *msg, u32 __group, int gfp_mask);
+
+ struct cb_id
+@@ -53,15 +53,15 @@ struct cn_msg
+ Connector interfaces.
+ /*****************************************/
+
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+
+ Registers new callback with connector core.
+
+ struct cb_id *id - unique connector's user identifier.
+ It must be registered in connector.h for legal in-kernel users.
+ char *name - connector's callback symbolic name.
+-void (*callback) (void *) - connector's callback.
+- Argument must be dereferenced to struct cn_msg *.
++void (*callback) (struct cn..) - connector's callback.
++ cn_msg and the sender's credentials
+
+ void cn_del_callback(struct cb_id *id);
+
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 5c9f67f..e5ed75d 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -196,9 +196,8 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ * cn_proc_mcast_ctl
+ * @data: message sent from userspace via the connector
+ */
+-static void cn_proc_mcast_ctl(void *data)
++static void cn_proc_mcast_ctl(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ enum proc_cn_mcast_op *mc_op = NULL;
+ int err = 0;
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index e3cf1d9..989c1bd 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -37,8 +37,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ container_of(work, struct cn_callback_entry, work);
+ struct cn_callback_data *d = &cbq->data;
+ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
++ struct netlink_skb_parms *nsp = &NETLINK_CB(d->skb);
+
+- d->callback(msg);
++ d->callback(msg, nsp);
+
+ d->destruct_data(d->ddata);
+ d->ddata = NULL;
+@@ -46,7 +47,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ kfree(d->free);
+ }
+
+-static struct cn_callback_entry *cn_queue_alloc_callback_entry(char *name, struct cb_id *id, void (*callback)(void *))
++static struct cn_callback_entry *
++cn_queue_alloc_callback_entry(char *name, struct cb_id *id,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ struct cn_callback_entry *cbq;
+
+@@ -76,7 +79,8 @@ int cn_cb_equal(struct cb_id *i1, struct cb_id *i2)
+ return ((i1->idx == i2->idx) && (i1->val == i2->val));
+ }
+
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *))
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ struct cn_callback_entry *cbq, *__cbq;
+ int found = 0;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index f101295..1e8cd67 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -208,7 +208,8 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ *
+ * May sleep.
+ */
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
++int cn_add_callback(struct cb_id *id, char *name,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ int err;
+ struct cn_dev *dev = &cdev;
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index cdbb56e..e945b64 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -66,9 +66,8 @@ static DEFINE_MUTEX(uvfb_lock);
+ * find the kernel part of the task struct, copy the registers and
+ * the buffer contents and then complete the task.
+ */
+-static void uvesafb_cn_callback(void *data)
++static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ struct uvesafb_task *utask;
+ struct uvesafb_ktask *task;
+
+diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
+index 65c5ebd..7ad099c 100644
+--- a/drivers/w1/w1_netlink.c
++++ b/drivers/w1/w1_netlink.c
+@@ -128,9 +128,8 @@ static int w1_process_command_slave(struct w1_slave *sl, struct cn_msg *msg,
+ return err;
+ }
+
+-static void w1_cn_callback(void *data)
++static void w1_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ struct w1_netlink_msg *m = (struct w1_netlink_msg *)(msg + 1);
+ struct w1_netlink_cmd *cmd;
+ struct w1_slave *sl;
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 7552837..4a144f0 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -98,7 +98,7 @@ struct cn_callback_data {
+ void *ddata;
+
+ struct sk_buff *skb;
+- void (*callback) (struct cn_msg *);
++ void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+
+ void *free;
+ };
+@@ -124,11 +124,11 @@ struct cn_dev {
+ struct cn_queue_dev *cbdev;
+ };
+
+-int cn_add_callback(struct cb_id *, char *, void (*callback) (void *));
++int cn_add_callback(struct cb_id *, char *, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_del_callback(struct cb_id *);
+ int cn_netlink_send(struct cn_msg *, u32, gfp_t);
+
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *));
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(struct cn_msg *, struct netlink_skb_parms *));
+ void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id);
+
+ struct cn_queue_dev *cn_queue_alloc_dev(char *name, struct sock *);
+--
+1.7.0
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch Tue Mar 9 16:11:51 2010 (r15339)
@@ -0,0 +1,88 @@
+From 20a1c695fded8a81a3cbdaf8b8a3b01ff227ae54 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:21:25 -0700
+Subject: [PATCH 3/4] add 2.6.31.5/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
+
+---
+ drivers/connector/cn_queue.c | 4 ++--
+ drivers/connector/connector.c | 11 +++--------
+ include/linux/connector.h | 3 ---
+ 3 files changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index 989c1bd..54e12cf 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -41,8 +41,8 @@ void cn_queue_wrapper(struct work_struct *work)
+
+ d->callback(msg, nsp);
+
+- d->destruct_data(d->ddata);
+- d->ddata = NULL;
++ kfree_skb(d->skb);
++ d->skb = NULL;
+
+ kfree(d->free);
+ }
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1e8cd67..064b210 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,7 +118,7 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+ * Callback helper - queues work and setup destructor for given data.
+ */
+-static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb)
+ {
+ struct cn_callback_entry *__cbq, *__new_cbq;
+ struct cn_dev *dev = &cdev;
+@@ -129,12 +129,9 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ list_for_each_entry(__cbq, &dev->cbdev->queue_list, callback_entry) {
+ if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ if (likely(!work_pending(&__cbq->work) &&
+- __cbq->data.ddata == NULL)) {
++ __cbq->data.skb == NULL)) {
+ __cbq->data.skb = skb;
+
+- __cbq->data.ddata = data;
+- __cbq->data.destruct_data = destruct_data;
+-
+ if (queue_work(dev->cbdev->cn_queue,
+ &__cbq->work))
+ err = 0;
+@@ -149,8 +146,6 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ d = &__new_cbq->data;
+ d->skb = skb;
+ d->callback = __cbq->data.callback;
+- d->ddata = data;
+- d->destruct_data = destruct_data;
+ d->free = __new_cbq;
+
+ INIT_WORK(&__new_cbq->work,
+@@ -196,7 +191,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ return;
+ }
+
+- err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
++ err = cn_call_callback(skb);
+ if (err < 0)
+ kfree_skb(skb);
+ }
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 4a144f0..9e7ea3f 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -94,9 +94,6 @@ struct cn_callback_id {
+ };
+
+ struct cn_callback_data {
+- void (*destruct_data) (void *);
+- void *ddata;
+-
+ struct sk_buff *skb;
+ void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+
+--
+1.7.0
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch Tue Mar 9 16:11:51 2010 (r15339)
@@ -0,0 +1,26 @@
+From 4f232537fcb3301b102f022b3dee8e294b462773 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 19:47:12 -0700
+Subject: [PATCH 4/4] 2.6.31.5/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
+
+---
+ drivers/video/uvesafb.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index e945b64..b595d48 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -71,6 +71,9 @@ static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *ns
+ struct uvesafb_task *utask;
+ struct uvesafb_ktask *task;
+
++ if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
++ return;
++
+ if (msg->seq >= UVESAFB_TASKS_MAX)
+ return;
+
+--
+1.7.0
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny4 Tue Mar 9 04:11:56 2010 (r15338)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny4 Tue Mar 9 16:11:51 2010 (r15339)
@@ -4,3 +4,7 @@
- bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
+ bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
+ bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
++ bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
++ bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
++ bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
++ bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
More information about the Kernel-svn-changes
mailing list