[kernel] r16442 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 07:02:36 UTC 2010
Author: dannf
Date: Thu Oct 14 07:02:29 2010
New Revision: 16442
Log:
net sched: fix kernel leak in act_police (CVE-2010-3477)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:50:39 2010 (r16441)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 07:02:29 2010 (r16442)
@@ -39,6 +39,7 @@
* rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
* Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
* ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
+ * net sched: fix kernel leak in act_police (CVE-2010-3477)
-- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch Thu Oct 14 07:02:29 2010 (r16442)
@@ -0,0 +1,55 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e
+Author: Jeff Mahoney <jeffm at suse.com>
+Date: Tue Aug 31 13:21:42 2010 +0000
+
+ net sched: fix kernel leak in act_police
+
+ While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+ audited other users of tc_action_ops->dump for information leaks.
+
+ That commit covered almost all of them but act_police still had a leak.
+
+ opt.limit and opt.capab aren't zeroed out before the structure is
+ passed out.
+
+ This patch uses the C99 initializers to zero everything unused out.
+
+ Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+ Acked-by: Jeff Mahoney <jeffm at suse.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+--- a/net/sched/act_police.c 2009-12-02 20:51:21.000000000 -0700
++++ b/net/sched/act_police.c 2010-10-14 00:51:45.030382632 -0600
+@@ -340,22 +340,19 @@ tcf_act_police_dump(struct sk_buff *skb,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_police *police = a->priv;
+- struct tc_police opt;
++ struct tc_police opt = {
++ .index = police->tcf_index,
++ .action = police->tcf_action,
++ .mtu = police->tcfp_mtu,
++ .burst = police->tcfp_burst,
++ .refcnt = police->tcf_refcnt - ref,
++ .bindcnt = police->tcf_bindcnt - bind,
++ };
+
+- opt.index = police->tcf_index;
+- opt.action = police->tcf_action;
+- opt.mtu = police->tcfp_mtu;
+- opt.burst = police->tcfp_burst;
+- opt.refcnt = police->tcf_refcnt - ref;
+- opt.bindcnt = police->tcf_bindcnt - bind;
+ if (police->tcfp_R_tab)
+ opt.rate = police->tcfp_R_tab->rate;
+- else
+- memset(&opt.rate, 0, sizeof(opt.rate));
+ if (police->tcfp_P_tab)
+ opt.peakrate = police->tcfp_P_tab->rate;
+- else
+- memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ if (police->tcfp_result)
+ NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:50:39 2010 (r16441)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 07:02:29 2010 (r16442)
@@ -29,3 +29,4 @@
+ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
+ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
+ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
More information about the Kernel-svn-changes
mailing list