[kernel] r16582 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Nov 21 00:51:30 UTC 2010
Author: dannf
Date: Sun Nov 21 00:51:25 2010
New Revision: 16582
Log:
inet_diag: Make sure we actually run the same bytecode we audited
(CVE-2010-3880)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 00:38:14 2010 (r16581)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 00:51:25 2010 (r16582)
@@ -27,6 +27,8 @@
* can-bcm: fix minor heap overflow (CVE-2010-3874)
* net: packet: fix information leak to userland (CVE-2010-3876)
* net: tipc: fix information leak to userland (CVE-2010-3877)
+ * inet_diag: Make sure we actually run the same bytecode we audited
+ (CVE-2010-3880)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch Sun Nov 21 00:51:25 2010 (r16582)
@@ -0,0 +1,103 @@
+commit cfd1efb5b8f074aa3d7b7adc98f4a98100880cbb
+Author: Nelson Elhage <nelhage at ksplice.com>
+Date: Wed Nov 3 16:35:41 2010 +0000
+
+ inet_diag: Make sure we actually run the same bytecode we audited.
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ We were using nlmsg_find_attr() to look up the bytecode by attribute when
+ auditing, but then just using the first attribute when actually running
+ bytecode. So, if we received a message with two attribute elements, where only
+ the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
+ bytecode strings.
+
+ Fix this by consistently using nlmsg_find_attr everywhere.
+
+ Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+ Signed-off-by: Thomas Graf <tgraf at infradead.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index da97695..b9659b2 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -495,10 +495,11 @@ static int inet_csk_diag_dump(struct sock *sk,
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
+- struct inet_sock *inet = inet_sk(sk);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+
+ entry.family = sk->sk_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -517,7 +518,7 @@ static int inet_csk_diag_dump(struct sock *sk,
+ entry.dport = ntohs(inet->dport);
+ entry.userlocks = sk->sk_userlocks;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -532,9 +533,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+
+ entry.family = tw->tw_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -553,7 +556,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ entry.dport = ntohs(tw->tw_dport);
+ entry.userlocks = 0;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -623,7 +626,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct listen_sock *lopt;
+- struct rtattr *bc = NULL;
++ const struct nlattr *bc = NULL;
+ struct inet_sock *inet = inet_sk(sk);
+ int j, s_j;
+ int reqnum, s_reqnum;
+@@ -643,8 +646,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ if (!lopt || !lopt->qlen)
+ goto out;
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+- bc = (struct rtattr *)(r + 1);
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
++ bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+ entry.sport = inet->num;
+ entry.userlocks = sk->sk_userlocks;
+ }
+@@ -677,8 +681,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ &ireq->rmt_addr;
+ entry.dport = ntohs(ireq->rmt_port);
+
+- if (!inet_diag_bc_run(RTA_DATA(bc),
+- RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc),
++ nla_len(bc), &entry))
+ continue;
+ }
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 00:38:14 2010 (r16581)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 00:51:25 2010 (r16582)
@@ -22,3 +22,4 @@
+ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
+ bugfix/all/can-bcm-fix-minor-heap-overflow.patch
+ bugfix/all/net-tipc-fix-information-leak-to-userland.patch
++ bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
More information about the Kernel-svn-changes
mailing list