[kernel] r16478 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:19:12 UTC 2010
Author: dannf
Date: Mon Oct 25 02:18:40 2010
New Revision: 16478
Log:
net sched: fix kernel leak in act_police (CVE-2010-3477)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Oct 24 23:52:14 2010 (r16477)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:18:40 2010 (r16478)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-25lenny2) UNRELEASED; urgency=high
+
+ * net sched: fix kernel leak in act_police (CVE-2010-3477)
+
+ -- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
+
linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch Mon Oct 25 02:18:40 2010 (r16478)
@@ -0,0 +1,56 @@
+commit a284ebb1d9862fe94b3c693e55f60ef3587a3855
+Author: Jeff Mahoney <jeffm at suse.com>
+Date: Tue Aug 31 13:21:42 2010 +0000
+
+ net sched: fix kernel leak in act_police
+
+ While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+ audited other users of tc_action_ops->dump for information leaks.
+
+ That commit covered almost all of them but act_police still had a leak.
+
+ opt.limit and opt.capab aren't zeroed out before the structure is
+ passed out.
+
+ This patch uses the C99 initializers to zero everything unused out.
+
+ Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+ Acked-by: Jeff Mahoney <jeffm at suse.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_police.c b/net/sched/act_police.c
+index 0898120..85d8315 100644
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -320,22 +320,19 @@ tcf_act_police_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_police *police = a->priv;
+- struct tc_police opt;
+-
+- opt.index = police->tcf_index;
+- opt.action = police->tcf_action;
+- opt.mtu = police->tcfp_mtu;
+- opt.burst = police->tcfp_burst;
+- opt.refcnt = police->tcf_refcnt - ref;
+- opt.bindcnt = police->tcf_bindcnt - bind;
++ struct tc_police opt = {
++ .index = police->tcf_index,
++ .action = police->tcf_action,
++ .mtu = police->tcfp_mtu,
++ .burst = police->tcfp_burst,
++ .refcnt = police->tcf_refcnt - ref,
++ .bindcnt = police->tcf_bindcnt - bind,
++ };
++
+ if (police->tcfp_R_tab)
+ opt.rate = police->tcfp_R_tab->rate;
+- else
+- memset(&opt.rate, 0, sizeof(opt.rate));
+ if (police->tcfp_P_tab)
+ opt.peakrate = police->tcfp_P_tab->rate;
+- else
+- memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ if (police->tcfp_result)
+ NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
Added: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:18:40 2010 (r16478)
@@ -0,0 +1 @@
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
More information about the Kernel-svn-changes
mailing list