[kernel] r16436 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 05:53:01 UTC 2010
Author: dannf
Date: Thu Oct 14 05:52:59 2010
New Revision: 16436
Log:
net sched: fix some kernel memory leaks (CVE-2010-2942)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 05:43:04 2010 (r16435)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 05:52:59 2010 (r16436)
@@ -34,8 +34,9 @@
* drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
* GFS2: Fix writing to non-page aligned gfs2_quota structures (CVE-2010-1436)
* hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
+ * net sched: fix some kernel memory leaks (CVE-2010-2942)
- -- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 22:55:30 -0600
+ -- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
linux-2.6 (2.6.32-24) unstable; urgency=high
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/act_nat-use-stack-variable.patch Thu Oct 14 05:52:59 2010 (r16436)
@@ -0,0 +1,71 @@
+commit 504f85c9d05f7c605306e808f0d835fe11bfd18d
+Author: Changli Gao <xiaosuo at gmail.com>
+Date: Tue Jun 29 23:07:09 2010 +0000
+
+ act_nat: use stack variable
+
+ act_nat: use stack variable
+
+ structure tc_nat isn't too big for stack, so we can put it in stack.
+
+ Signed-off-by: Changli Gao <xiaosuo at gmail.com>
+ ----
+ net/sched/act_nat.c | 31 ++++++++++---------------------
+ 1 file changed, 10 insertions(+), 21 deletions(-)
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
+index 5709494..0be49a4 100644
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -265,40 +265,29 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_nat *p = a->priv;
+- struct tc_nat *opt;
++ struct tc_nat opt;
+ struct tcf_t t;
+- int s;
+
+- s = sizeof(*opt);
++ opt.old_addr = p->old_addr;
++ opt.new_addr = p->new_addr;
++ opt.mask = p->mask;
++ opt.flags = p->flags;
+
+- /* netlink spinlocks held above us - must use ATOMIC */
+- opt = kzalloc(s, GFP_ATOMIC);
+- if (unlikely(!opt))
+- return -ENOBUFS;
++ opt.index = p->tcf_index;
++ opt.action = p->tcf_action;
++ opt.refcnt = p->tcf_refcnt - ref;
++ opt.bindcnt = p->tcf_bindcnt - bind;
+
+- opt->old_addr = p->old_addr;
+- opt->new_addr = p->new_addr;
+- opt->mask = p->mask;
+- opt->flags = p->flags;
+-
+- opt->index = p->tcf_index;
+- opt->action = p->tcf_action;
+- opt->refcnt = p->tcf_refcnt - ref;
+- opt->bindcnt = p->tcf_bindcnt - bind;
+-
+- NLA_PUT(skb, TCA_NAT_PARMS, s, opt);
++ NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt);
+ t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
+ t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
+ t.expires = jiffies_to_clock_t(p->tcf_tm.expires);
+ NLA_PUT(skb, TCA_NAT_TM, sizeof(t), &t);
+
+- kfree(opt);
+-
+ return skb->len;
+
+ nla_put_failure:
+ nlmsg_trim(skb, b);
+- kfree(opt);
+ return -1;
+ }
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-some-memory-leaks.patch Thu Oct 14 05:52:59 2010 (r16436)
@@ -0,0 +1,163 @@
+commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Mon Aug 16 20:04:22 2010 +0000
+
+ net sched: fix some kernel memory leaks
+
+ We leak at least 32bits of kernel memory to user land in tc dump,
+ because we dont init all fields (capab ?) of the dumped structure.
+
+ Use C99 initializers so that holes and non explicit fields are zeroed.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
+index 8406c66..c2ed90a 100644
+--- a/net/sched/act_gact.c
++++ b/net/sched/act_gact.c
+@@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result
+ static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+- struct tc_gact opt;
+ struct tcf_gact *gact = a->priv;
++ struct tc_gact opt = {
++ .index = gact->tcf_index,
++ .refcnt = gact->tcf_refcnt - ref,
++ .bindcnt = gact->tcf_bindcnt - bind,
++ .action = gact->tcf_action,
++ };
+ struct tcf_t t;
+
+- opt.index = gact->tcf_index;
+- opt.refcnt = gact->tcf_refcnt - ref;
+- opt.bindcnt = gact->tcf_bindcnt - bind;
+- opt.action = gact->tcf_action;
+ NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt);
+ #ifdef CONFIG_GACT_PROB
+ if (gact->tcfg_ptype) {
+- struct tc_gact_p p_opt;
+- p_opt.paction = gact->tcfg_paction;
+- p_opt.pval = gact->tcfg_pval;
+- p_opt.ptype = gact->tcfg_ptype;
++ struct tc_gact_p p_opt = {
++ .paction = gact->tcfg_paction,
++ .pval = gact->tcfg_pval,
++ .ptype = gact->tcfg_ptype,
++ };
++
+ NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt);
+ }
+ #endif
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 11f195a..0c311be 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -219,15 +219,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_mirred *m = a->priv;
+- struct tc_mirred opt;
++ struct tc_mirred opt = {
++ .index = m->tcf_index,
++ .action = m->tcf_action,
++ .refcnt = m->tcf_refcnt - ref,
++ .bindcnt = m->tcf_bindcnt - bind,
++ .eaction = m->tcfm_eaction,
++ .ifindex = m->tcfm_ifindex,
++ };
+ struct tcf_t t;
+
+- opt.index = m->tcf_index;
+- opt.action = m->tcf_action;
+- opt.refcnt = m->tcf_refcnt - ref;
+- opt.bindcnt = m->tcf_bindcnt - bind;
+- opt.eaction = m->tcfm_eaction;
+- opt.ifindex = m->tcfm_ifindex;
+ NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt);
+ t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install);
+ t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse);
+diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
+index 509a2d5..186eb83 100644
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -272,19 +272,19 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_nat *p = a->priv;
+- struct tc_nat opt;
++ struct tc_nat opt = {
++ .old_addr = p->old_addr,
++ .new_addr = p->new_addr,
++ .mask = p->mask,
++ .flags = p->flags,
++
++ .index = p->tcf_index,
++ .action = p->tcf_action,
++ .refcnt = p->tcf_refcnt - ref,
++ .bindcnt = p->tcf_bindcnt - bind,
++ };
+ struct tcf_t t;
+
+- opt.old_addr = p->old_addr;
+- opt.new_addr = p->new_addr;
+- opt.mask = p->mask;
+- opt.flags = p->flags;
+-
+- opt.index = p->tcf_index;
+- opt.action = p->tcf_action;
+- opt.refcnt = p->tcf_refcnt - ref;
+- opt.bindcnt = p->tcf_bindcnt - bind;
+-
+ NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt);
+ t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
+ t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
+diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
+index 4a1d640..97e84f3 100644
+--- a/net/sched/act_simple.c
++++ b/net/sched/act_simple.c
+@@ -164,13 +164,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_defact *d = a->priv;
+- struct tc_defact opt;
++ struct tc_defact opt = {
++ .index = d->tcf_index,
++ .refcnt = d->tcf_refcnt - ref,
++ .bindcnt = d->tcf_bindcnt - bind,
++ .action = d->tcf_action,
++ };
+ struct tcf_t t;
+
+- opt.index = d->tcf_index;
+- opt.refcnt = d->tcf_refcnt - ref;
+- opt.bindcnt = d->tcf_bindcnt - bind;
+- opt.action = d->tcf_action;
+ NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt);
+ NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata);
+ t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install);
+diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
+index e9607fe..66cbf4e 100644
+--- a/net/sched/act_skbedit.c
++++ b/net/sched/act_skbedit.c
+@@ -159,13 +159,14 @@ static inline int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_skbedit *d = a->priv;
+- struct tc_skbedit opt;
++ struct tc_skbedit opt = {
++ .index = d->tcf_index,
++ .refcnt = d->tcf_refcnt - ref,
++ .bindcnt = d->tcf_bindcnt - bind,
++ .action = d->tcf_action,
++ };
+ struct tcf_t t;
+
+- opt.index = d->tcf_index;
+- opt.refcnt = d->tcf_refcnt - ref;
+- opt.bindcnt = d->tcf_bindcnt - bind;
+- opt.action = d->tcf_action;
+ NLA_PUT(skb, TCA_SKBEDIT_PARMS, sizeof(opt), &opt);
+ if (d->flags & SKBEDIT_F_PRIORITY)
+ NLA_PUT(skb, TCA_SKBEDIT_PRIORITY, sizeof(d->priority),
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 05:43:04 2010 (r16435)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 05:52:59 2010 (r16436)
@@ -23,3 +23,5 @@
+ bugfix/all/gfs2-BUG-in-gfs2_adjust_quota.patch
+ bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
+ bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove-2.patch
++ bugfix/all/act_nat-use-stack-variable.patch
++ bugfix/all/net-sched-fix-some-memory-leaks.patch
More information about the Kernel-svn-changes
mailing list