[kernel] r16826 - in dists/lenny-security/linux-2.6/debian: . config patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jan 17 18:56:51 UTC 2011 

Author: dannf
Date: Mon Jan 17 18:56:46 2011
New Revision: 16826

Log:
af_unix: limit unix_tot_inflight (CVE-2010-4249)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/config/defines
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 18:32:17 2011	(r16825)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 18:56:46 2011	(r16826)
@@ -12,6 +12,7 @@
   * KVM: VMX: fix vmx null pointer dereference on debug register access
     (CVE-2010-0435)
   * exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
+  * af_unix: limit unix_tot_inflight (CVE-2010-4249)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	
@@ -19,7 +20,7 @@
     (CVE-2010-4526)
   * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)	
   * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4529)
-	
+
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 
 linux-2.6 (2.6.26-26lenny1) stable-security; urgency=high

Modified: dists/lenny-security/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny-security/linux-2.6/debian/config/defines	Mon Jan 17 18:32:17 2011	(r16825)
+++ dists/lenny-security/linux-2.6/debian/config/defines	Mon Jan 17 18:56:46 2011	(r16826)
@@ -1,6 +1,6 @@
 [abi]
 abiname: 2
-ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
+ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add __scm_* scm_*
 
 [base]
 arches:

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch	Mon Jan 17 18:56:46 2011	(r16826)
@@ -0,0 +1,47 @@
+commit 39bc12da78776f253bf5ce7415a8b533856f7706
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Wed Nov 24 09:15:27 2010 -0800
+
+    af_unix: limit unix_tot_inflight
+    
+    Vegard Nossum found a unix socket OOM was possible, posting an exploit
+    program.
+    
+    My analysis is we can eat all LOWMEM memory before unix_gc() being
+    called from unix_release_sock(). Moreover, the thread blocked in
+    unix_gc() can consume huge amount of time to perform cleanup because of
+    huge working set.
+    
+    One way to handle this is to have a sensible limit on unix_tot_inflight,
+    tested from wait_for_unix_gc() and to force a call to unix_gc() if this
+    limit is hit.
+    
+    This solves the OOM and also reduce overall latencies, and should not
+    slowdown normal workloads.
+    
+    Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: Adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index dbc8e46..7437742 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -260,9 +260,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
+ }
+ 
+ static bool gc_in_progress = false;
++#define UNIX_INFLIGHT_TRIGGER_GC 16000
+ 
+ void wait_for_unix_gc(void)
+ {
++	/*
++	 * If number of inflight sockets is insane,
++	 * force a garbage collect right now.
++	 */
++	if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
++		unix_gc();
+ 	wait_event(unix_gc_wait, gc_in_progress == false);
+ }
+ 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch	Mon Jan 17 18:56:46 2011	(r16826)
@@ -0,0 +1,71 @@
+commit f1d0e842f4b3dd9f7ea8fe2ae439ea922d421026
+Author: dann frazier <dann.frazier at canonical.com>
+Date:   Mon Jan 17 11:52:13 2011 -0700
+
+    scm: lower SCM_MAX_FD
+    
+    Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
+    halved. (commit f8d570a4 added two pointers in this structure)
+    
+    scm_fp_dup() should not copy whole structure (and trigger kmemcheck
+    warnings), but only the used part. While we are at it, only allocate
+    needed size.
+    
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf:  Backported to Debian's 2.6.26]
+
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 33e9986..d33d511 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -10,12 +10,13 @@
+ /* Well, we should have at least one descriptor open
+  * to accept passed FDs 8)
+  */
+-#define SCM_MAX_FD	255
++#define SCM_MAX_FD	253
+ 
+ struct scm_fp_list
+ {
+ 	struct list_head	list;
+-	int			count;
++	short			count;
++	short			max;
+ 	struct file		*fp[SCM_MAX_FD];
+ };
+ 
+diff --git a/net/core/scm.c b/net/core/scm.c
+index ab242cc..c10e1f1 100644
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -77,10 +77,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
+ 		*fplp = fpl;
+ 		INIT_LIST_HEAD(&fpl->list);
+ 		fpl->count = 0;
++		fpl->max = SCM_MAX_FD;
+ 	}
+ 	fpp = &fpl->fp[fpl->count];
+ 
+-	if (fpl->count + num > SCM_MAX_FD)
++	if (fpl->count + num > fpl->max)
+ 		return -EINVAL;
+ 
+ 	/*
+@@ -299,12 +300,13 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
+ 	if (!fpl)
+ 		return NULL;
+ 
+-	new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
++	new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
++			  GFP_KERNEL);
+ 	if (new_fpl) {
+ 		INIT_LIST_HEAD(&new_fpl->list);
+-		for (i=fpl->count-1; i>=0; i--)
++		for (i = 0; i < fpl->count; i++)
+ 			get_file(fpl->fp[i]);
+-		memcpy(new_fpl, fpl, sizeof(*fpl));
++		new_fpl->max = new_fpl->count;
+ 	}
+ 	return new_fpl;
+ }

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 18:32:17 2011	(r16825)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 18:56:46 2011	(r16826)
@@ -10,3 +10,5 @@
 + bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch
 + debian/exec-Get-rid-of-linux_binprm-vma_pages.patch
 + bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
++ bugfix/all/af_unix-limit-unix_tot_inflight.patch
++ bugfix/all/scm-lower-SCM_MAX_FD.patch

More information about the Kernel-svn-changes mailing list