[kernel] r16813 - in dists/lenny-security/linux-2.6/debian: . patches/features/all/xen patches/series
Moritz Muehlenhoff
jmm at alioth.debian.org
Sun Jan 16 02:44:08 UTC 2011
Author: jmm
Date: Sun Jan 16 02:44:06 2011
New Revision: 16813
Log:
fix CVE-2010-3699 for Lenny
Added:
dists/lenny-security/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2-extra
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Jan 15 11:04:17 2011 (r16812)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Jan 16 02:44:06 2011 (r16813)
@@ -10,6 +10,7 @@
(CVE-2010-4248)
* KVM: VMX: fix vmx null pointer dereference on debug register access
(CVE-2010-0435)
+ * blkback/blktap/netback: Fix CVE-2010-3699
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch Sun Jan 16 02:44:06 2011 (r16813)
@@ -0,0 +1,165 @@
+Nur in source_i386_xen: CVE-2010-3699.patch.
+diff -aur source_i386_xen.orig/drivers/xen/blkback/xenbus.c source_i386_xen/drivers/xen/blkback/xenbus.c
+--- source_i386_xen.orig/drivers/xen/blkback/xenbus.c 2011-01-16 03:23:09.000000000 +0100
++++ source_i386_xen/drivers/xen/blkback/xenbus.c 2011-01-16 03:34:53.000000000 +0100
+@@ -370,6 +370,11 @@
+ if (dev->state == XenbusStateConnected)
+ break;
+
++ /* Enforce precondition before potential leak point.
++ * blkif_disconnect() is idempotent.
++ */
++ blkif_disconnect(be->blkif);
++
+ err = connect_ring(be);
+ if (err)
+ break;
+@@ -387,6 +392,7 @@
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* implies blkif_disconnect() via blkback_remove() */
+ device_unregister(&dev->dev);
+ break;
+
+diff -aur source_i386_xen.orig/drivers/xen/blktap/xenbus.c source_i386_xen/drivers/xen/blktap/xenbus.c
+--- source_i386_xen.orig/drivers/xen/blktap/xenbus.c 2011-01-16 03:23:09.000000000 +0100
++++ source_i386_xen/drivers/xen/blktap/xenbus.c 2011-01-16 03:34:53.000000000 +0100
+@@ -325,6 +325,31 @@
+ tap_update_blkif_status(be->blkif);
+ }
+
++
++static void blkif_disconnect(blkif_t *blkif)
++{
++ if (blkif->xenblkd) {
++ kthread_stop(blkif->xenblkd);
++ blkif->xenblkd = NULL;
++ }
++
++ /* idempotent */
++ tap_blkif_free(blkif);
++}
++
++
++
++static void blkif_disconnect(blkif_t *blkif)
++{
++ if (blkif->xenblkd) {
++ kthread_stop(blkif->xenblkd);
++ blkif->xenblkd = NULL;
++ }
++
++ /* idempotent */
++ tap_blkif_free(blkif);
++}
++
+ /**
+ * Callback received when the frontend's state changes.
+ */
+@@ -353,6 +378,11 @@
+ if (dev->state == XenbusStateConnected)
+ break;
+
++ /* Enforce precondition before potential leak point.
++ * blkif_disconnect() is idempotent.
++ */
++ blkif_disconnect(be->blkif);
++
+ err = connect_ring(be);
+ if (err)
+ break;
+@@ -360,10 +390,7 @@
+ break;
+
+ case XenbusStateClosing:
+- if (be->blkif->xenblkd) {
+- kthread_stop(be->blkif->xenblkd);
+- be->blkif->xenblkd = NULL;
+- }
++ blkif_disconnect(be->blkif);
+ xenbus_switch_state(dev, XenbusStateClosing);
+ break;
+
+@@ -373,6 +400,9 @@
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* Implies the effects of blkif_disconnect() via
++ * blktap_remove().
++ */
+ device_unregister(&dev->dev);
+ break;
+
+diff -aur source_i386_xen.orig/drivers/xen/netback/xenbus.c source_i386_xen/drivers/xen/netback/xenbus.c
+--- source_i386_xen.orig/drivers/xen/netback/xenbus.c 2011-01-16 03:23:09.000000000 +0100
++++ source_i386_xen/drivers/xen/netback/xenbus.c 2011-01-16 03:34:53.000000000 +0100
+@@ -32,6 +32,7 @@
+ static int connect_rings(struct backend_info *);
+ static void connect(struct backend_info *);
+ static void backend_create_netif(struct backend_info *be);
++static void netback_disconnect(struct device *);
+
+ static int netback_remove(struct xenbus_device *dev)
+ {
+@@ -39,16 +40,22 @@
+
+ netback_remove_accelerators(be, dev);
+
+- if (be->netif) {
+- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE);
+- netif_disconnect(be->netif);
+- be->netif = NULL;
+- }
++ netback_disconnect(&dev->dev);
+ kfree(be);
+ dev->dev.driver_data = NULL;
+ return 0;
+ }
+
++static void netback_disconnect(struct device *xbdev_dev)
++{
++ struct backend_info *be = xbdev_dev->driver_data;
++
++ if (be->netif) {
++ kobject_uevent(&xbdev_dev->kobj, KOBJ_OFFLINE);
++ netif_disconnect(be->netif);
++ be->netif = NULL;
++ }
++}
+
+ /**
+ * Entry point to this code when a new device is created. Allocate the basic
+@@ -226,17 +233,19 @@
+ break;
+
+ case XenbusStateConnected:
++
++ /* Enforce precondition before potential leak point.
++ * netback_disconnect() is idempotent.
++ */
++ netback_disconnect(&dev->dev);
++
+ backend_create_netif(be);
+ if (be->netif)
+ connect(be);
+ break;
+
+ case XenbusStateClosing:
+- if (be->netif) {
+- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE);
+- netif_disconnect(be->netif);
+- be->netif = NULL;
+- }
++ netback_disconnect(&dev->dev);
+ xenbus_switch_state(dev, XenbusStateClosing);
+ break;
+
+@@ -246,6 +255,7 @@
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* implies netback_disconnect() via netback_remove() */
+ device_unregister(&dev->dev);
+ break;
+
Added: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2-extra
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2-extra Sun Jan 16 02:44:06 2011 (r16813)
@@ -0,0 +1 @@
++ features/all/xen/CVE-2010-3699.patch featureset=xen
More information about the Kernel-svn-changes
mailing list