[kernel] r16777 - in dists/sid/linux-2.6/debian/patches: bugfix/all series
Moritz Muehlenhoff
jmm at alioth.debian.org
Wed Jan 5 13:20:54 UTC 2011
Author: jmm
Date: Wed Jan 5 13:20:45 2011
New Revision: 16777
Log:
fix security issues
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3875.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3876.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3877.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3880.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4250.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4342.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4343.patch
Modified:
dists/sid/linux-2.6/debian/patches/series/30
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3875.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3875.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,39 @@
+From fe10ae53384e48c51996941b7720ee16995cbcb7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed, 10 Nov 2010 10:14:33 -0800
+Subject: [PATCH] net: ax25: fix information leak to userland
+
+Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
+field of fsa struct, also the struct has padding bytes between
+sax25_call and sax25_ndigis fields. This structure is then copied to
+userland. It leads to leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ax25/af_ax25.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 26eaebf..bb86d29 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ ax25_cb *ax25;
+ int err = 0;
+
++ memset(fsa, 0, sizeof(fsa));
+ lock_sock(sk);
+ ax25 = ax25_sk(sk);
+
+@@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+
+ fsa->fsa_ax25.sax25_family = AF_AX25;
+ fsa->fsa_ax25.sax25_call = ax25->dest_addr;
+- fsa->fsa_ax25.sax25_ndigis = 0;
+
+ if (ax25->digipeat != NULL) {
+ ndigi = ax25->digipeat->ndigi;
+--
+1.7.3.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3876.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3876.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,38 @@
+From 67286640f638f5ad41a946b9a3dc75327950248f Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed, 10 Nov 2010 12:09:10 -0800
+Subject: [PATCH] net: packet: fix information leak to userland
+
+packet_getname_spkt() doesn't initialize all members of sa_data field of
+sockaddr struct if strlen(dev->name) < 13. This structure is then copied
+to userland. It leads to leaking of contents of kernel stack memory.
+We have to fully fill sa_data with strncpy() instead of strlcpy().
+
+The same with packet_getname(): it doesn't initialize sll_pkttype field of
+sockaddr_ll. Set it to zero.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+[ Backported to 2.6.32 ]
+
+diff -Naur source.orig/net/packet/af_packet.c source/net/packet/af_packet.c
+--- source.orig/net/packet/af_packet.c 2011-01-05 11:28:10.155451000 +0100
++++ source/net/packet/af_packet.c 2011-01-05 13:53:41.706449450 +0100
+@@ -1526,7 +1526,7 @@
+ uaddr->sa_family = AF_PACKET;
+ dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev) {
+- strlcpy(uaddr->sa_data, dev->name, 15);
++ strncpy(uaddr->sa_data, dev->name, 14);
+ dev_put(dev);
+ } else
+ memset(uaddr->sa_data, 0, 14);
+@@ -1549,6 +1549,7 @@
+ sll->sll_family = AF_PACKET;
+ sll->sll_ifindex = po->ifindex;
+ sll->sll_protocol = po->num;
++ sll->sll_pkttype = 0;
+ dev = dev_get_by_index(sock_net(sk), po->ifindex);
+ if (dev) {
+ sll->sll_hatype = dev->type;
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3877.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3877.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,30 @@
+From 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 Mon Sep 17 00:00:00 2001
+From: Kulikov Vasiliy <segooon at gmail.com>
+Date: Sun, 31 Oct 2010 07:10:32 +0000
+Subject: [PATCH] net: tipc: fix information leak to userland
+
+Structure sockaddr_tipc is copied to userland with padding bytes after
+"id" field in union field "name" unitialized. It leads to leaking of
+contents of kernel stack memory. We have to initialize them to zero.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/tipc/socket.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 33217fc..e9f0d50 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -396,6 +396,7 @@ static int get_name(struct socket *sock, struct sockaddr *uaddr,
+ struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
+ struct tipc_sock *tsock = tipc_sk(sock->sk);
+
++ memset(addr, 0, sizeof(*addr));
+ if (peer) {
+ if ((sock->state != SS_CONNECTED) &&
+ ((peer != 2) || (sock->state != SS_DISCONNECTING)))
+--
+1.7.3.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3880.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-3880.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,101 @@
+From 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 Mon Sep 17 00:00:00 2001
+From: Nelson Elhage <nelhage at ksplice.com>
+Date: Wed, 3 Nov 2010 16:35:41 +0000
+Subject: [PATCH] inet_diag: Make sure we actually run the same bytecode we audited.
+
+We were using nlmsg_find_attr() to look up the bytecode by attribute when
+auditing, but then just using the first attribute when actually running
+bytecode. So, if we received a message with two attribute elements, where only
+the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
+bytecode strings.
+
+Fix this by consistently using nlmsg_find_attr everywhere.
+
+Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+Signed-off-by: Thomas Graf <tgraf at infradead.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+[Slightly adapted to apply against 2.6.32]
+
+diff -aur source.orig/net/ipv4/inet_diag.c source/net/ipv4/inet_diag.c
+--- source.orig/net/ipv4/inet_diag.c 2009-12-03 04:51:21.000000000 +0100
++++ source/net/ipv4/inet_diag.c 2011-01-05 11:50:52.522449113 +0100
+@@ -489,9 +489,11 @@
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+ struct inet_sock *inet = inet_sk(sk);
+
+ entry.family = sk->sk_family;
+@@ -511,7 +513,7 @@
+ entry.dport = ntohs(inet->dport);
+ entry.userlocks = sk->sk_userlocks;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -526,9 +528,11 @@
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+
+ entry.family = tw->tw_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -547,7 +551,7 @@
+ entry.dport = ntohs(tw->tw_dport);
+ entry.userlocks = 0;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -617,7 +621,7 @@
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct listen_sock *lopt;
+- struct rtattr *bc = NULL;
++ const struct nlattr *bc = NULL;
+ struct inet_sock *inet = inet_sk(sk);
+ int j, s_j;
+ int reqnum, s_reqnum;
+@@ -637,8 +641,9 @@
+ if (!lopt || !lopt->qlen)
+ goto out;
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+- bc = (struct rtattr *)(r + 1);
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
++ bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+ entry.sport = inet->num;
+ entry.userlocks = sk->sk_userlocks;
+ }
+@@ -671,8 +676,8 @@
+ &ireq->rmt_addr;
+ entry.dport = ntohs(ireq->rmt_port);
+
+- if (!inet_diag_bc_run(RTA_DATA(bc),
+- RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc),
++ nla_len(bc), &entry))
+ continue;
+ }
+
+Nur in source/net/ipv4: inet_diag.c~.
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4250.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4250.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,31 @@
+From a2ae4cc9a16e211c8a128ba10d22a85431f093ab Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis at redhat.com>
+Date: Tue, 23 Nov 2010 18:18:37 -0500
+Subject: [PATCH] inotify: stop kernel memory leak on file creation failure
+
+If inotify_init is unable to allocate a new file for the new inotify
+group we leak the new group. This patch drops the reference on the
+group on file allocation failure.
+
+Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
+cc: stable at kernel.org
+Signed-off-by: Eric Paris <eparis at redhat.com>
+---
+ fs/notify/inotify/inotify_user.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
+index 444c305..4cd5d5d 100644
+--- a/fs/notify/inotify/inotify_user.c
++++ b/fs/notify/inotify/inotify_user.c
+@@ -752,6 +752,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags)
+ if (ret >= 0)
+ return ret;
+
++ fsnotify_put_group(group);
+ atomic_dec(&user->inotify_devs);
+ out_free_uid:
+ free_uid(user);
+--
+1.7.3.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4342.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4342.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,36 @@
+From 4e085e76cbe558b79b54cbab772f61185879bc64 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem at davemloft.net>
+Date: Wed, 8 Dec 2010 18:42:23 -0800
+Subject: [PATCH] econet: Fix crash in aun_incoming().
+
+Unconditional use of skb->dev won't work here,
+try to fetch the econet device via skb_dst()->dev
+instead.
+
+Suggested by Eric Dumazet.
+
+Reported-by: Nelson Elhage <nelhage at ksplice.com>
+Tested-by: Nelson Elhage <nelhage at ksplice.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+[Slightly adapted for 2.6.32]
+
+diff -aur source.orig/net/econet/af_econet.c source/net/econet/af_econet.c
+--- source.orig/net/econet/af_econet.c 2011-01-05 11:28:20.395451000 +0100
++++ source/net/econet/af_econet.c 2011-01-05 13:27:52.835450299 +0100
+@@ -843,9 +843,13 @@
+ {
+ struct iphdr *ip = ip_hdr(skb);
+ unsigned char stn = ntohl(ip->saddr) & 0xff;
++ struct dst_entry *dst = skb_dst(skb);
++ struct ec_device *edev = NULL;
+ struct sock *sk;
+ struct sk_buff *newskb;
+- struct ec_device *edev = skb->dev->ec_ptr;
++
++ if (dst)
++ edev = dst->dev->ec_ptr;
+
+ if (! edev)
+ goto bad;
+Nur in source/net/econet: af_econet.c~.
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4343.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/CVE-2010-4343.patch Wed Jan 5 13:20:45 2011 (r16777)
@@ -0,0 +1,64 @@
+From 7873ca4e4401f0ecd8868bf1543113467e6bae61 Mon Sep 17 00:00:00 2001
+From: Krishna Gudipati <kgudipat at brocade.com>
+Date: Fri, 21 May 2010 14:39:45 -0700
+Subject: [PATCH] [SCSI] bfa: fix system crash when reading sysfs fc_host statistics
+
+The port data structure related to fc_host statistics collection is
+not initialized. This causes system crash when reading the fc_host
+statistics. The fix is to initialize port structure during driver
+attach.
+
+Signed-off-by: Krishna Gudipati <kgudipat at brocade.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/bfa/bfa_core.c | 22 ++++++++++++++++++++++
+ 1 files changed, 22 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfa_core.c b/drivers/scsi/bfa/bfa_core.c
+index 0c08e18..3a7b3f8 100644
+--- a/drivers/scsi/bfa/bfa_core.c
++++ b/drivers/scsi/bfa/bfa_core.c
+@@ -84,11 +84,32 @@ bfa_cfg_get_meminfo(struct bfa_iocfc_cfg_s *cfg, struct bfa_meminfo_s *meminfo)
+ for (i = 0; hal_mods[i]; i++)
+ hal_mods[i]->meminfo(cfg, &km_len, &dm_len);
+
++ dm_len += bfa_port_meminfo();
+
+ meminfo->meminfo[BFA_MEM_TYPE_KVA - 1].mem_len = km_len;
+ meminfo->meminfo[BFA_MEM_TYPE_DMA - 1].mem_len = dm_len;
+ }
+
++static void
++bfa_com_port_attach(struct bfa_s *bfa, struct bfa_meminfo_s *mi)
++{
++ struct bfa_port_s *port = &bfa->modules.port;
++ uint32_t dm_len;
++ uint8_t *dm_kva;
++ uint64_t dm_pa;
++
++ dm_len = bfa_port_meminfo();
++ dm_kva = bfa_meminfo_dma_virt(mi);
++ dm_pa = bfa_meminfo_dma_phys(mi);
++
++ memset(port, 0, sizeof(struct bfa_port_s));
++ bfa_port_attach(port, &bfa->ioc, bfa, bfa->trcmod, bfa->logm);
++ bfa_port_mem_claim(port, dm_kva, dm_pa);
++
++ bfa_meminfo_dma_virt(mi) = dm_kva + dm_len;
++ bfa_meminfo_dma_phys(mi) = dm_pa + dm_len;
++}
++
+ /**
+ * Use this function to do attach the driver instance with the BFA
+ * library. This function will not trigger any HW initialization
+@@ -140,6 +161,7 @@ bfa_attach(struct bfa_s *bfa, void *bfad, struct bfa_iocfc_cfg_s *cfg,
+ for (i = 0; hal_mods[i]; i++)
+ hal_mods[i]->attach(bfa, bfad, cfg, meminfo, pcidev);
+
++ bfa_com_port_attach(bfa, meminfo);
+ }
+
+ /**
+--
+1.7.3.4
+
Modified: dists/sid/linux-2.6/debian/patches/series/30
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/30 Wed Jan 5 02:44:04 2011 (r16776)
+++ dists/sid/linux-2.6/debian/patches/series/30 Wed Jan 5 13:20:45 2011 (r16777)
@@ -28,3 +28,11 @@
+ features/x86/dell-laptop-Add-Dell-Inc-type-9-to-DMI-whitelist.patch
- features/all/r8169-rtl8168d-1-2-request_firmware-3.patch
+ features/all/r8169-remove-the-firmware-of-RTL8111D.patch
++ bugfix/all/CVE-2010-3875.patch
++ bugfix/all/CVE-2010-3876.patch
++ bugfix/all/CVE-2010-3877.patch
++ bugfix/all/CVE-2010-3880.patch
++ bugfix/all/CVE-2010-4250.patch
++ bugfix/all/CVE-2010-4342.patch
++ bugfix/all/CVE-2010-4343.patch
+
More information about the Kernel-svn-changes
mailing list