[kernel] r16788 - in dists/sid/linux-2.6/debian: . config patches/bugfix/all patches/features/all/openvz patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jan 6 16:32:03 UTC 2011
Author: dannf
Date: Thu Jan 6 16:32:00 2011
New Revision: 16788
Log:
af_unix: limit unix_tot_inflight (CVE-2010-4249)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/config/defines
dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/sid/linux-2.6/debian/patches/series/30
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Jan 6 16:17:30 2011 (r16787)
+++ dists/sid/linux-2.6/debian/changelog Thu Jan 6 16:32:00 2011 (r16788)
@@ -59,6 +59,7 @@
[ dann frazier ]
* exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
* irda: Fix information leak in IRLMP_ENUMDEVICES (CVE-2010-4529)
+ * af_unix: limit unix_tot_inflight (CVE-2010-4249)
[ Moritz Muehlenhoff ]
* net: ax25: fix information leak to userland (CVE-2010-3875)
Modified: dists/sid/linux-2.6/debian/config/defines
==============================================================================
--- dists/sid/linux-2.6/debian/config/defines Thu Jan 6 16:17:30 2011 (r16787)
+++ dists/sid/linux-2.6/debian/config/defines Thu Jan 6 16:32:00 2011 (r16788)
@@ -2,6 +2,8 @@
abiname: 5
ignore-changes:
module:drivers/net/wireless/iwlwifi/*
+ __scm_*
+ scm_*
[base]
arches:
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch Thu Jan 6 16:32:00 2011 (r16788)
@@ -0,0 +1,46 @@
+commit 9915672d41273f5b77f1b3c29b391ffb7732b84b
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Wed Nov 24 09:15:27 2010 -0800
+
+ af_unix: limit unix_tot_inflight
+
+ Vegard Nossum found a unix socket OOM was possible, posting an exploit
+ program.
+
+ My analysis is we can eat all LOWMEM memory before unix_gc() being
+ called from unix_release_sock(). Moreover, the thread blocked in
+ unix_gc() can consume huge amount of time to perform cleanup because of
+ huge working set.
+
+ One way to handle this is to have a sensible limit on unix_tot_inflight,
+ tested from wait_for_unix_gc() and to force a call to unix_gc() if this
+ limit is hit.
+
+ This solves the OOM and also reduce overall latencies, and should not
+ slowdown normal workloads.
+
+ Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/net/unix/garbage.c linux-source-2.6.32/net/unix/garbage.c
+--- linux-source-2.6.32.orig/net/unix/garbage.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/net/unix/garbage.c 2011-01-02 22:05:02.129433863 -0700
+@@ -269,9 +269,16 @@ static void inc_inflight_move_tail(struc
+ }
+
+ static bool gc_in_progress = false;
++#define UNIX_INFLIGHT_TRIGGER_GC 16000
+
+ void wait_for_unix_gc(void)
+ {
++ /*
++ * If number of inflight sockets is insane,
++ * force a garbage collect right now.
++ */
++ if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
++ unix_gc();
+ wait_event(unix_gc_wait, gc_in_progress == false);
+ }
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch Thu Jan 6 16:32:00 2011 (r16788)
@@ -0,0 +1,68 @@
+commit bba14de98753cb6599a2dae0e520714b2153522d
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Tue Nov 23 14:09:15 2010 +0000
+
+ scm: lower SCM_MAX_FD
+
+ Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
+ halved. (commit f8d570a4 added two pointers in this structure)
+
+ scm_fp_dup() should not copy whole structure (and trigger kmemcheck
+ warnings), but only the used part. While we are at it, only allocate
+ needed size.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/include/net/scm.h linux-source-2.6.32/include/net/scm.h
+--- linux-source-2.6.32.orig/include/net/scm.h 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/include/net/scm.h 2011-01-02 22:09:08.709432603 -0700
+@@ -10,12 +10,13 @@
+ /* Well, we should have at least one descriptor open
+ * to accept passed FDs 8)
+ */
+-#define SCM_MAX_FD 255
++#define SCM_MAX_FD 253
+
+ struct scm_fp_list
+ {
+ struct list_head list;
+- int count;
++ short count;
++ short max;
+ struct file *fp[SCM_MAX_FD];
+ };
+
+diff -urpN linux-source-2.6.32.orig/net/core/scm.c linux-source-2.6.32/net/core/scm.c
+--- linux-source-2.6.32.orig/net/core/scm.c 2010-12-09 23:02:25.000000000 -0700
++++ linux-source-2.6.32/net/core/scm.c 2011-01-02 22:08:18.945434144 -0700
+@@ -78,10 +78,11 @@ static int scm_fp_copy(struct cmsghdr *c
+ return -ENOMEM;
+ *fplp = fpl;
+ fpl->count = 0;
++ fpl->max = SCM_MAX_FD;
+ }
+ fpp = &fpl->fp[fpl->count];
+
+- if (fpl->count + num > SCM_MAX_FD)
++ if (fpl->count + num > fpl->max)
+ return -EINVAL;
+
+ /*
+@@ -302,11 +303,12 @@ struct scm_fp_list *scm_fp_dup(struct sc
+ if (!fpl)
+ return NULL;
+
+- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
++ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
++ GFP_KERNEL);
+ if (new_fpl) {
+- for (i=fpl->count-1; i>=0; i--)
++ for (i = 0; i < fpl->count; i++)
+ get_file(fpl->fp[i]);
+- memcpy(new_fpl, fpl, sizeof(*fpl));
++ new_fpl->max = new_fpl->count;
+ }
+ return new_fpl;
+ }
Modified: dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Jan 6 16:17:30 2011 (r16787)
+++ dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Jan 6 16:32:00 2011 (r16788)
@@ -82511,14 +82511,14 @@
if (!fpl)
return -ENOMEM;
*fplp = fpl;
-@@ -302,7 +305,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
- if (!fpl)
+@@ -304,7 +307,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
return NULL;
-- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
-+ new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL_UBC);
+ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
+- GFP_KERNEL);
++ GFP_KERNEL_UBC);
if (new_fpl) {
- for (i=fpl->count-1; i>=0; i--)
+ for (i = 0; i < fpl->count; i++)
get_file(fpl->fp[i]);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 283f441..c680a7f 100644
Modified: dists/sid/linux-2.6/debian/patches/series/30
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/30 Thu Jan 6 16:17:30 2011 (r16787)
+++ dists/sid/linux-2.6/debian/patches/series/30 Thu Jan 6 16:32:00 2011 (r16788)
@@ -37,3 +37,5 @@
- bugfix/all/TTY-Fix-error-return-from-tty_ldisc_open.patch
+ bugfix/all/stable/2.6.32.28-rc1.patch
+ debian/revert-most-of-block-deprecate-queue_flag_cluster.patch
++ bugfix/all/af_unix-limit-unix_tot_inflight.patch
++ bugfix/all/scm-lower-SCM_MAX_FD.patch
More information about the Kernel-svn-changes
mailing list