[kernel] r16788 - in dists/sid/linux-2.6/debian: . config patches/bugfix/all patches/features/all/openvz patches/series

Dann Frazier dannf at alioth.debian.org
Thu Jan 6 16:32:03 UTC 2011 

Author: dannf
Date: Thu Jan  6 16:32:00 2011
New Revision: 16788

Log:
af_unix: limit unix_tot_inflight (CVE-2010-4249)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/config/defines
   dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/sid/linux-2.6/debian/patches/series/30

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Jan  6 16:17:30 2011	(r16787)
+++ dists/sid/linux-2.6/debian/changelog	Thu Jan  6 16:32:00 2011	(r16788)
@@ -59,6 +59,7 @@
   [ dann frazier ]
   * exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
   * irda: Fix information leak in IRLMP_ENUMDEVICES (CVE-2010-4529)
+  * af_unix: limit unix_tot_inflight (CVE-2010-4249)
 
   [ Moritz Muehlenhoff ]
   * net: ax25: fix information leak to userland (CVE-2010-3875)

Modified: dists/sid/linux-2.6/debian/config/defines
==============================================================================
--- dists/sid/linux-2.6/debian/config/defines	Thu Jan  6 16:17:30 2011	(r16787)
+++ dists/sid/linux-2.6/debian/config/defines	Thu Jan  6 16:32:00 2011	(r16788)
@@ -2,6 +2,8 @@
 abiname: 5
 ignore-changes:
  module:drivers/net/wireless/iwlwifi/*
+ __scm_*
+ scm_*
 
 [base]
 arches:

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch	Thu Jan  6 16:32:00 2011	(r16788)
@@ -0,0 +1,46 @@
+commit 9915672d41273f5b77f1b3c29b391ffb7732b84b
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Wed Nov 24 09:15:27 2010 -0800
+
+    af_unix: limit unix_tot_inflight
+    
+    Vegard Nossum found a unix socket OOM was possible, posting an exploit
+    program.
+    
+    My analysis is we can eat all LOWMEM memory before unix_gc() being
+    called from unix_release_sock(). Moreover, the thread blocked in
+    unix_gc() can consume huge amount of time to perform cleanup because of
+    huge working set.
+    
+    One way to handle this is to have a sensible limit on unix_tot_inflight,
+    tested from wait_for_unix_gc() and to force a call to unix_gc() if this
+    limit is hit.
+    
+    This solves the OOM and also reduce overall latencies, and should not
+    slowdown normal workloads.
+    
+    Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/net/unix/garbage.c linux-source-2.6.32/net/unix/garbage.c
+--- linux-source-2.6.32.orig/net/unix/garbage.c	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/net/unix/garbage.c	2011-01-02 22:05:02.129433863 -0700
+@@ -269,9 +269,16 @@ static void inc_inflight_move_tail(struc
+ }
+ 
+ static bool gc_in_progress = false;
++#define UNIX_INFLIGHT_TRIGGER_GC 16000
+ 
+ void wait_for_unix_gc(void)
+ {
++	/*
++	 * If number of inflight sockets is insane,
++	 * force a garbage collect right now.
++	 */
++	if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
++		unix_gc();
+ 	wait_event(unix_gc_wait, gc_in_progress == false);
+ }
+ 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch	Thu Jan  6 16:32:00 2011	(r16788)
@@ -0,0 +1,68 @@
+commit bba14de98753cb6599a2dae0e520714b2153522d
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Tue Nov 23 14:09:15 2010 +0000
+
+    scm: lower SCM_MAX_FD
+    
+    Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
+    halved. (commit f8d570a4 added two pointers in this structure)
+    
+    scm_fp_dup() should not copy whole structure (and trigger kmemcheck
+    warnings), but only the used part. While we are at it, only allocate
+    needed size.
+    
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/include/net/scm.h linux-source-2.6.32/include/net/scm.h
+--- linux-source-2.6.32.orig/include/net/scm.h	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/include/net/scm.h	2011-01-02 22:09:08.709432603 -0700
+@@ -10,12 +10,13 @@
+ /* Well, we should have at least one descriptor open
+  * to accept passed FDs 8)
+  */
+-#define SCM_MAX_FD	255
++#define SCM_MAX_FD	253
+ 
+ struct scm_fp_list
+ {
+ 	struct list_head	list;
+-	int			count;
++	short			count;
++	short			max;
+ 	struct file		*fp[SCM_MAX_FD];
+ };
+ 
+diff -urpN linux-source-2.6.32.orig/net/core/scm.c linux-source-2.6.32/net/core/scm.c
+--- linux-source-2.6.32.orig/net/core/scm.c	2010-12-09 23:02:25.000000000 -0700
++++ linux-source-2.6.32/net/core/scm.c	2011-01-02 22:08:18.945434144 -0700
+@@ -78,10 +78,11 @@ static int scm_fp_copy(struct cmsghdr *c
+ 			return -ENOMEM;
+ 		*fplp = fpl;
+ 		fpl->count = 0;
++		fpl->max = SCM_MAX_FD;
+ 	}
+ 	fpp = &fpl->fp[fpl->count];
+ 
+-	if (fpl->count + num > SCM_MAX_FD)
++	if (fpl->count + num > fpl->max)
+ 		return -EINVAL;
+ 
+ 	/*
+@@ -302,11 +303,12 @@ struct scm_fp_list *scm_fp_dup(struct sc
+ 	if (!fpl)
+ 		return NULL;
+ 
+-	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
++	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
++			  GFP_KERNEL);
+ 	if (new_fpl) {
+-		for (i=fpl->count-1; i>=0; i--)
++		for (i = 0; i < fpl->count; i++)
+ 			get_file(fpl->fp[i]);
+-		memcpy(new_fpl, fpl, sizeof(*fpl));
++		new_fpl->max = new_fpl->count;
+ 	}
+ 	return new_fpl;
+ }

Modified: dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Thu Jan  6 16:17:30 2011	(r16787)
+++ dists/sid/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Thu Jan  6 16:32:00 2011	(r16788)
@@ -82511,14 +82511,14 @@
  		if (!fpl)
  			return -ENOMEM;
  		*fplp = fpl;
-@@ -302,7 +305,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
- 	if (!fpl)
+@@ -304,7 +307,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
  		return NULL;
  
--	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
-+	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL_UBC);
+ 	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
+-			  GFP_KERNEL);
++			  GFP_KERNEL_UBC);
  	if (new_fpl) {
- 		for (i=fpl->count-1; i>=0; i--)
+ 		for (i = 0; i < fpl->count; i++)
  			get_file(fpl->fp[i]);
 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
 index 283f441..c680a7f 100644

Modified: dists/sid/linux-2.6/debian/patches/series/30
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/30	Thu Jan  6 16:17:30 2011	(r16787)
+++ dists/sid/linux-2.6/debian/patches/series/30	Thu Jan  6 16:32:00 2011	(r16788)
@@ -37,3 +37,5 @@
 - bugfix/all/TTY-Fix-error-return-from-tty_ldisc_open.patch
 + bugfix/all/stable/2.6.32.28-rc1.patch
 + debian/revert-most-of-block-deprecate-queue_flag_cluster.patch
++ bugfix/all/af_unix-limit-unix_tot_inflight.patch
++ bugfix/all/scm-lower-SCM_MAX_FD.patch

More information about the Kernel-svn-changes mailing list