[kernel] r16442 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Thu Oct 14 07:02:29 2010
New Revision: 16442

Log:
net sched: fix kernel leak in act_police (CVE-2010-3477)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:50:39 2010	(r16441)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 07:02:29 2010	(r16442)
@@ -39,6 +39,7 @@
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
   * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
   * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
+  * net sched: fix kernel leak in act_police (CVE-2010-3477)
 
  -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch	Thu Oct 14 07:02:29 2010	(r16442)
@@ -0,0 +1,55 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e
+Author: Jeff Mahoney <jeffm at suse.com>
+Date:   Tue Aug 31 13:21:42 2010 +0000
+
+    net sched: fix kernel leak in act_police
+    
+    While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+     audited other users of tc_action_ops->dump for information leaks.
+    
+     That commit covered almost all of them but act_police still had a leak.
+    
+     opt.limit and opt.capab aren't zeroed out before the structure is
+     passed out.
+    
+     This patch uses the C99 initializers to zero everything unused out.
+    
+    Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+    Acked-by: Jeff Mahoney <jeffm at suse.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+--- a/net/sched/act_police.c	2009-12-02 20:51:21.000000000 -0700
++++ b/net/sched/act_police.c	2010-10-14 00:51:45.030382632 -0600
+@@ -340,22 +340,19 @@ tcf_act_police_dump(struct sk_buff *skb,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_police *police = a->priv;
+-	struct tc_police opt;
++	struct tc_police opt = {
++		.index = police->tcf_index,
++		.action = police->tcf_action,
++		.mtu = police->tcfp_mtu,
++		.burst = police->tcfp_burst,
++		.refcnt = police->tcf_refcnt - ref,
++		.bindcnt = police->tcf_bindcnt - bind,
++	};
+ 
+-	opt.index = police->tcf_index;
+-	opt.action = police->tcf_action;
+-	opt.mtu = police->tcfp_mtu;
+-	opt.burst = police->tcfp_burst;
+-	opt.refcnt = police->tcf_refcnt - ref;
+-	opt.bindcnt = police->tcf_bindcnt - bind;
+ 	if (police->tcfp_R_tab)
+ 		opt.rate = police->tcfp_R_tab->rate;
+-	else
+-		memset(&opt.rate, 0, sizeof(opt.rate));
+ 	if (police->tcfp_P_tab)
+ 		opt.peakrate = police->tcfp_P_tab->rate;
+-	else
+-		memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ 	NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ 	if (police->tcfp_result)
+ 		NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:50:39 2010	(r16441)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 07:02:29 2010	(r16442)
@@ -29,3 +29,4 @@
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
 + bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
 + bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch