[kernel] r16436 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Oct 14 05:53:01 UTC 2010


Author: dannf
Date: Thu Oct 14 05:52:59 2010
New Revision: 16436

Log:
net sched: fix some kernel memory leaks (CVE-2010-2942)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 05:43:04 2010	(r16435)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 05:52:59 2010	(r16436)
@@ -34,8 +34,9 @@
   * drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
   * GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
   * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
+  * net sched: fix some kernel memory leaks (CVE-2010-2942)
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 22:55:30 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 
 linux-2.6 (2.6.32-24) unstable; urgency=high
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch	Thu Oct 14 05:52:59 2010	(r16436)
@@ -0,0 +1,71 @@
+commit 504f85c9d05f7c605306e808f0d835fe11bfd18d
+Author: Changli Gao <xiaosuo at gmail.com>
+Date:   Tue Jun 29 23:07:09 2010 +0000
+
+    act_nat: use stack variable
+    
+    act_nat: use stack variable
+    
+    structure tc_nat isn't too big for stack, so we can put it in stack.
+    
+    Signed-off-by: Changli Gao <xiaosuo at gmail.com>
+    ----
+     net/sched/act_nat.c |   31 ++++++++++---------------------
+     1 file changed, 10 insertions(+), 21 deletions(-)
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
+index 5709494..0be49a4 100644
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -265,40 +265,29 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_nat *p = a->priv;
+-	struct tc_nat *opt;
++	struct tc_nat opt;
+ 	struct tcf_t t;
+-	int s;
+ 
+-	s = sizeof(*opt);
++	opt.old_addr = p->old_addr;
++	opt.new_addr = p->new_addr;
++	opt.mask = p->mask;
++	opt.flags = p->flags;
+ 
+-	/* netlink spinlocks held above us - must use ATOMIC */
+-	opt = kzalloc(s, GFP_ATOMIC);
+-	if (unlikely(!opt))
+-		return -ENOBUFS;
++	opt.index = p->tcf_index;
++	opt.action = p->tcf_action;
++	opt.refcnt = p->tcf_refcnt - ref;
++	opt.bindcnt = p->tcf_bindcnt - bind;
+ 
+-	opt->old_addr = p->old_addr;
+-	opt->new_addr = p->new_addr;
+-	opt->mask = p->mask;
+-	opt->flags = p->flags;
+-
+-	opt->index = p->tcf_index;
+-	opt->action = p->tcf_action;
+-	opt->refcnt = p->tcf_refcnt - ref;
+-	opt->bindcnt = p->tcf_bindcnt - bind;
+-
+-	NLA_PUT(skb, TCA_NAT_PARMS, s, opt);
++	NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt);
+ 	t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
+ 	t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
+ 	t.expires = jiffies_to_clock_t(p->tcf_tm.expires);
+ 	NLA_PUT(skb, TCA_NAT_TM, sizeof(t), &t);
+ 
+-	kfree(opt);
+-
+ 	return skb->len;
+ 
+ nla_put_failure:
+ 	nlmsg_trim(skb, b);
+-	kfree(opt);
+ 	return -1;
+ }
+ 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch	Thu Oct 14 05:52:59 2010	(r16436)
@@ -0,0 +1,163 @@
+commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Mon Aug 16 20:04:22 2010 +0000
+
+    net sched: fix some kernel memory leaks
+    
+    We leak at least 32bits of kernel memory to user land in tc dump,
+    because we dont init all fields (capab ?) of the dumped structure.
+    
+    Use C99 initializers so that holes and non explicit fields are zeroed.
+    
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
+index 8406c66..c2ed90a 100644
+--- a/net/sched/act_gact.c
++++ b/net/sched/act_gact.c
+@@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result
+ static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+-	struct tc_gact opt;
+ 	struct tcf_gact *gact = a->priv;
++	struct tc_gact opt = {
++		.index   = gact->tcf_index,
++		.refcnt  = gact->tcf_refcnt - ref,
++		.bindcnt = gact->tcf_bindcnt - bind,
++		.action  = gact->tcf_action,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = gact->tcf_index;
+-	opt.refcnt = gact->tcf_refcnt - ref;
+-	opt.bindcnt = gact->tcf_bindcnt - bind;
+-	opt.action = gact->tcf_action;
+ 	NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt);
+ #ifdef CONFIG_GACT_PROB
+ 	if (gact->tcfg_ptype) {
+-		struct tc_gact_p p_opt;
+-		p_opt.paction = gact->tcfg_paction;
+-		p_opt.pval = gact->tcfg_pval;
+-		p_opt.ptype = gact->tcfg_ptype;
++		struct tc_gact_p p_opt = {
++			.paction = gact->tcfg_paction,
++			.pval    = gact->tcfg_pval,
++			.ptype   = gact->tcfg_ptype,
++		};
++
+ 		NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt);
+ 	}
+ #endif
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 11f195a..0c311be 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -219,15 +219,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_mirred *m = a->priv;
+-	struct tc_mirred opt;
++	struct tc_mirred opt = {
++		.index   = m->tcf_index,
++		.action  = m->tcf_action,
++		.refcnt  = m->tcf_refcnt - ref,
++		.bindcnt = m->tcf_bindcnt - bind,
++		.eaction = m->tcfm_eaction,
++		.ifindex = m->tcfm_ifindex,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = m->tcf_index;
+-	opt.action = m->tcf_action;
+-	opt.refcnt = m->tcf_refcnt - ref;
+-	opt.bindcnt = m->tcf_bindcnt - bind;
+-	opt.eaction = m->tcfm_eaction;
+-	opt.ifindex = m->tcfm_ifindex;
+ 	NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt);
+ 	t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install);
+ 	t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse);
+diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
+index 509a2d5..186eb83 100644
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -272,19 +272,19 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_nat *p = a->priv;
+-	struct tc_nat opt;
++	struct tc_nat opt = {
++		.old_addr = p->old_addr,
++		.new_addr = p->new_addr,
++		.mask     = p->mask,
++		.flags    = p->flags,
++
++		.index    = p->tcf_index,
++		.action   = p->tcf_action,
++		.refcnt   = p->tcf_refcnt - ref,
++		.bindcnt  = p->tcf_bindcnt - bind,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.old_addr = p->old_addr;
+-	opt.new_addr = p->new_addr;
+-	opt.mask = p->mask;
+-	opt.flags = p->flags;
+-
+-	opt.index = p->tcf_index;
+-	opt.action = p->tcf_action;
+-	opt.refcnt = p->tcf_refcnt - ref;
+-	opt.bindcnt = p->tcf_bindcnt - bind;
+-
+ 	NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt);
+ 	t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
+ 	t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
+diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
+index 4a1d640..97e84f3 100644
+--- a/net/sched/act_simple.c
++++ b/net/sched/act_simple.c
+@@ -164,13 +164,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_defact *d = a->priv;
+-	struct tc_defact opt;
++	struct tc_defact opt = {
++		.index   = d->tcf_index,
++		.refcnt  = d->tcf_refcnt - ref,
++		.bindcnt = d->tcf_bindcnt - bind,
++		.action  = d->tcf_action,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = d->tcf_index;
+-	opt.refcnt = d->tcf_refcnt - ref;
+-	opt.bindcnt = d->tcf_bindcnt - bind;
+-	opt.action = d->tcf_action;
+ 	NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt);
+ 	NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata);
+ 	t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install);
+diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
+index e9607fe..66cbf4e 100644
+--- a/net/sched/act_skbedit.c
++++ b/net/sched/act_skbedit.c
+@@ -159,13 +159,14 @@ static inline int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_skbedit *d = a->priv;
+-	struct tc_skbedit opt;
++	struct tc_skbedit opt = {
++		.index   = d->tcf_index,
++		.refcnt  = d->tcf_refcnt - ref,
++		.bindcnt = d->tcf_bindcnt - bind,
++		.action  = d->tcf_action,
++	};
+ 	struct tcf_t t;
+ 
+-	opt.index = d->tcf_index;
+-	opt.refcnt = d->tcf_refcnt - ref;
+-	opt.bindcnt = d->tcf_bindcnt - bind;
+-	opt.action = d->tcf_action;
+ 	NLA_PUT(skb, TCA_SKBEDIT_PARMS, sizeof(opt), &opt);
+ 	if (d->flags & SKBEDIT_F_PRIORITY)
+ 		NLA_PUT(skb, TCA_SKBEDIT_PRIORITY, sizeof(d->priority),

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 05:43:04 2010	(r16435)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 05:52:59 2010	(r16436)
@@ -23,3 +23,5 @@
 + bugfix/all/gfs2-BUG-in-gfs2_adjust_quota.patch
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove-2.patch
++ bugfix/all/act_nat-use-stack-variable.patch
++ bugfix/all/net-sched-fix-some-memory-leaks.patch



More information about the Kernel-svn-changes mailing list