[kernel] r16478 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Oct 25 02:19:12 UTC 2010

Author: dannf
Date: Mon Oct 25 02:18:40 2010
New Revision: 16478

Log:
net sched: fix kernel leak in act_police (CVE-2010-3477)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sun Oct 24 23:52:14 2010	(r16477)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:18:40 2010	(r16478)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-25lenny2) UNRELEASED; urgency=high
+
+  * net sched: fix kernel leak in act_police (CVE-2010-3477)
+
+ -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
+
 linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
 
   * irda: Correctly clean up self->ias_obj on irda_bind() failure.

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch	Mon Oct 25 02:18:40 2010	(r16478)
@@ -0,0 +1,56 @@
+commit a284ebb1d9862fe94b3c693e55f60ef3587a3855
+Author: Jeff Mahoney <jeffm at suse.com>
+Date:   Tue Aug 31 13:21:42 2010 +0000
+
+    net sched: fix kernel leak in act_police
+    
+    While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+     audited other users of tc_action_ops->dump for information leaks.
+    
+     That commit covered almost all of them but act_police still had a leak.
+    
+     opt.limit and opt.capab aren't zeroed out before the structure is
+     passed out.
+    
+     This patch uses the C99 initializers to zero everything unused out.
+    
+    Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+    Acked-by: Jeff Mahoney <jeffm at suse.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_police.c b/net/sched/act_police.c
+index 0898120..85d8315 100644
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -320,22 +320,19 @@ tcf_act_police_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_police *police = a->priv;
+-	struct tc_police opt;
+-
+-	opt.index = police->tcf_index;
+-	opt.action = police->tcf_action;
+-	opt.mtu = police->tcfp_mtu;
+-	opt.burst = police->tcfp_burst;
+-	opt.refcnt = police->tcf_refcnt - ref;
+-	opt.bindcnt = police->tcf_bindcnt - bind;
++	struct tc_police opt = {
++		.index = police->tcf_index,
++		.action = police->tcf_action,
++		.mtu = police->tcfp_mtu,
++		.burst = police->tcfp_burst,
++		.refcnt = police->tcf_refcnt - ref,
++		.bindcnt = police->tcf_bindcnt - bind,
++	};
++
+ 	if (police->tcfp_R_tab)
+ 		opt.rate = police->tcfp_R_tab->rate;
+-	else
+-		memset(&opt.rate, 0, sizeof(opt.rate));
+ 	if (police->tcfp_P_tab)
+ 		opt.peakrate = police->tcfp_P_tab->rate;
+-	else
+-		memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ 	NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ 	if (police->tcfp_result)
+ 		NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);

Added: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:18:40 2010	(r16478)
@@ -0,0 +1 @@
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch

