[kernel] r16591 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 25 00:23:27 UTC 2010
Author: dannf
Date: Thu Nov 25 00:23:24 2010
New Revision: 16591
Log:
* econet: Avoid stack overflow w/ large msgiovlen (CVE-2010-3848)
* econet: disallow NULL remote addr for sendmsg() (CVE-2010-3849)
* econet: Add mising CAP_NET_ADMIN check in SIOCSIFADDR (CVE-2010-3850)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Nov 25 00:11:34 2010 (r16590)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Nov 25 00:23:24 2010 (r16591)
@@ -34,6 +34,9 @@
(CVE-2010-4073)
* USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
* [SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)
+ * econet: Avoid stack overflow w/ large msgiovlen (CVE-2010-3848)
+ * econet: disallow NULL remote addr for sendmsg() (CVE-2010-3849)
+ * econet: Add mising CAP_NET_ADMIN check in SIOCSIFADDR (CVE-2010-3850)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch Thu Nov 25 00:23:24 2010 (r16591)
@@ -0,0 +1,25 @@
+commit 8e8560a6d914929ab059233a6ecdc19e6898f299
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:49:53 2010 -0800
+
+ econet: fix CVE-2010-3850
+
+ Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index e622331..1d96608 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -663,6 +663,9 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
+ err = 0;
+ switch (cmd) {
+ case SIOCSIFADDR:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ edev = dev->ec_ptr;
+ if (edev == NULL) {
+ /* Magic up a new one. */
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch Thu Nov 25 00:23:24 2010 (r16591)
@@ -0,0 +1,150 @@
+commit 30c2fd5716be0792008fb599b077894455664df5
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:51:47 2010 -0800
+
+ econet: fix CVE-2010-3848
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ Don't declare variable sized array of iovecs on the stack since this
+ could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
+ the user-supplied data into a new buffer and use a single iovec for it.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 1d96608..a101190 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -30,6 +30,7 @@
+ #include <linux/wireless.h>
+ #include <linux/skbuff.h>
+ #include <linux/udp.h>
++#include <linux/vmalloc.h>
+ #include <net/sock.h>
+ #include <net/inet_common.h>
+ #include <linux/stat.h>
+@@ -275,12 +276,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ #endif
+ #ifdef CONFIG_ECONET_AUNUDP
+ struct msghdr udpmsg;
+- struct iovec iov[msg->msg_iovlen+1];
++ struct iovec iov[2];
+ struct aunhdr ah;
+ struct sockaddr_in udpdest;
+ __kernel_size_t size;
+- int i;
+ mm_segment_t oldfs;
++ char *userbuf;
+ #endif
+
+ /*
+@@ -318,17 +319,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ }
+ }
+
+- if (len + 15 > dev->mtu) {
+- mutex_unlock(&econet_mutex);
+- return -EMSGSIZE;
+- }
+-
+ if (dev->type == ARPHRD_ECONET) {
+ /* Real hardware Econet. We're not worthy etc. */
+ #ifdef CONFIG_ECONET_NATIVE
+ unsigned short proto = 0;
+ int res;
+
++ if (len + 15 > dev->mtu) {
++ mutex_unlock(&econet_mutex);
++ return -EMSGSIZE;
++ }
++
+ dev_hold(dev);
+
+ skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+@@ -404,6 +405,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ return -ENETDOWN; /* No socket - can't send */
+ }
+
++ if (len > 32768) {
++ err = -E2BIG;
++ goto error;
++ }
++
+ /* Make up a UDP datagram and hand it off to some higher intellect. */
+
+ memset(&udpdest, 0, sizeof(udpdest));
+@@ -435,36 +441,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ /* tack our header on the front of the iovec */
+ size = sizeof(struct aunhdr);
+- /*
+- * XXX: that is b0rken. We can't mix userland and kernel pointers
+- * in iovec, since on a lot of platforms copy_from_user() will
+- * *not* work with the kernel and userland ones at the same time,
+- * regardless of what we do with set_fs(). And we are talking about
+- * econet-over-ethernet here, so "it's only ARM anyway" doesn't
+- * apply. Any suggestions on fixing that code? -- AV
+- */
+ iov[0].iov_base = (void *)&ah;
+ iov[0].iov_len = size;
+- for (i = 0; i < msg->msg_iovlen; i++) {
+- void __user *base = msg->msg_iov[i].iov_base;
+- size_t iov_len = msg->msg_iov[i].iov_len;
+- /* Check it now since we switch to KERNEL_DS later. */
+- if (!access_ok(VERIFY_READ, base, iov_len)) {
+- mutex_unlock(&econet_mutex);
+- return -EFAULT;
+- }
+- iov[i+1].iov_base = base;
+- iov[i+1].iov_len = iov_len;
+- size += iov_len;
++
++ userbuf = vmalloc(len);
++ if (userbuf == NULL) {
++ err = -ENOMEM;
++ goto error;
+ }
+
++ iov[1].iov_base = userbuf;
++ iov[1].iov_len = len;
++ err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
++ if (err)
++ goto error_free_buf;
++
+ /* Get a skbuff (no data, just holds our cb information) */
+ if ((skb = sock_alloc_send_skb(sk, 0,
+ msg->msg_flags & MSG_DONTWAIT,
+- &err)) == NULL) {
+- mutex_unlock(&econet_mutex);
+- return err;
+- }
++ &err)) == NULL)
++ goto error_free_buf;
+
+ eb = (struct ec_cb *)&skb->cb;
+
+@@ -480,7 +476,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ udpmsg.msg_name = (void *)&udpdest;
+ udpmsg.msg_namelen = sizeof(udpdest);
+ udpmsg.msg_iov = &iov[0];
+- udpmsg.msg_iovlen = msg->msg_iovlen + 1;
++ udpmsg.msg_iovlen = 2;
+ udpmsg.msg_control = NULL;
+ udpmsg.msg_controllen = 0;
+ udpmsg.msg_flags=0;
+@@ -488,9 +484,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
+ err = sock_sendmsg(udpsock, &udpmsg, size);
+ set_fs(oldfs);
++
++error_free_buf:
++ vfree(userbuf);
+ #else
+ err = -EPROTOTYPE;
+ #endif
++ error:
+ mutex_unlock(&econet_mutex);
+
+ return err;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch Thu Nov 25 00:23:24 2010 (r16591)
@@ -0,0 +1,56 @@
+commit 698c3311c8a79606b12661867e6fa97c171cb495
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:49:19 2010 -0800
+
+ econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+ Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+ with EINVAL if NULL was passed otherwise an oops may occur.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 4b11a36..e622331 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -296,23 +296,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ mutex_lock(&econet_mutex);
+
+- if (saddr == NULL) {
+- struct econet_sock *eo = ec_sk(sk);
+-
+- addr.station = eo->station;
+- addr.net = eo->net;
+- port = eo->port;
+- cb = eo->cb;
+- } else {
+- if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+- mutex_unlock(&econet_mutex);
+- return -EINVAL;
+- }
+- addr.station = saddr->addr.station;
+- addr.net = saddr->addr.net;
+- port = saddr->port;
+- cb = saddr->cb;
+- }
++ if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++ mutex_unlock(&econet_mutex);
++ return -EINVAL;
++ }
++ addr.station = saddr->addr.station;
++ addr.net = saddr->addr.net;
++ port = saddr->port;
++ cb = saddr->cb;
+
+ /* Look for a device with the right network number. */
+ dev = net2dev_map[addr.net];
+@@ -350,7 +341,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ eb = (struct ec_cb *)&skb->cb;
+
+- /* BUG: saddr may be NULL */
+ eb->cookie = saddr->cookie;
+ eb->sec = *saddr;
+ eb->sent = ec_tx_done;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch Thu Nov 25 00:23:24 2010 (r16591)
@@ -0,0 +1,36 @@
+commit d7d6869fcc572ee794123407dce7f1b16e3c917f
+Author: Hagen Paul Pfeifer <hagen at jauu.net>
+Date: Wed Oct 7 14:43:04 2009 -0700
+
+ econet: Fix redeclaration of symbol len
+
+ Function argument len was redeclarated within the
+ function. This patch fix the redeclaration of symbol 'len'.
+
+ Signed-off-by: Hagen Paul Pfeifer <hagen at jauu.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 9972814..4b11a36 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -457,15 +457,15 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ iov[0].iov_len = size;
+ for (i = 0; i < msg->msg_iovlen; i++) {
+ void __user *base = msg->msg_iov[i].iov_base;
+- size_t len = msg->msg_iov[i].iov_len;
++ size_t iov_len = msg->msg_iov[i].iov_len;
+ /* Check it now since we switch to KERNEL_DS later. */
+- if (!access_ok(VERIFY_READ, base, len)) {
++ if (!access_ok(VERIFY_READ, base, iov_len)) {
+ mutex_unlock(&econet_mutex);
+ return -EFAULT;
+ }
+ iov[i+1].iov_base = base;
+- iov[i+1].iov_len = len;
+- size += len;
++ iov[i+1].iov_len = iov_len;
++ size += iov_len;
+ }
+
+ /* Get a skbuff (no data, just holds our cb information) */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Thu Nov 25 00:11:34 2010 (r16590)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Thu Nov 25 00:23:24 2010 (r16591)
@@ -27,3 +27,7 @@
+ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
+ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
+ bugfix/all/gdth-integer-overflow-in-ioctl.patch
++ bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
++ bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
++ bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
++ bugfix/all/econet-coalesced-iovec.patch
More information about the Kernel-svn-changes
mailing list