[kernel] r17795 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Jul 4 05:49:31 UTC 2011
Author: benh
Date: Mon Jul 4 05:49:30 2011
New Revision: 17795
Log:
Add security fixes and CVE references for 2.6.39.2
partitions/efi: Fix crash (oops) caused by corrupted GUID partition table (CVE-2011-1577)
ksm: fix NULL pointer dereference in scan_get_next_rmap_item() (CVE-2011-2183)
inet_diag: Fix infinite loop in inet_diag_bc_audit() (CVE-2011-2213)
taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
2.6.39.2:
- nl80211: fix check for valid SSID size in scan operations (CVE-2011-2517)
- TOMOYO: Fix oops in tomoyo_mount_acl() (CVE-2011-2518)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-req.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/fs-partitions-efi.c-corrupted-GUID-partition-tables-.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/inet_diag-fix-inet_diag_bc_audit.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/ksm-fix-NULL-pointer-dereference-in-scan_get_next_rm.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/3
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Mon Jul 4 05:23:38 2011 (r17794)
+++ dists/sid/linux-2.6/debian/changelog Mon Jul 4 05:49:30 2011 (r17795)
@@ -12,11 +12,20 @@
* Update debconf template translations:
- Danish (Joe Dalton) (Closes: #632551)
- Slovak (Slavko) (Closes: #608684)
+ * partitions/efi: Fix crash (oops) caused by corrupted GUID partition
+ table (CVE-2011-1577)
+ * ksm: fix NULL pointer dereference in scan_get_next_rmap_item()
+ (CVE-2011-2183)
+ * inet_diag: Fix infinite loop in inet_diag_bc_audit() (CVE-2011-2213)
+ * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
+ * bluetooth: Prevent buffer overflow in l2cap config request
+ (CVE-2011-2497)
[ maximilian attems ]
* Add stable 2.6.39.2, including:
- block: Fix crash (oops) in blkdev_get() on failed exclusive open
(Closes: #631574)
+ - nl80211: fix check for valid SSID size in scan operations (CVE-2011-2517)
- drm/radeon/kms: viewport height has to be even
- drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu
- fat: Fix corrupt inode flags when remove ATTR_SYS flag
@@ -24,6 +33,7 @@
- cifs: don't allow cifs_reconnect to exit with NULL socket pointer
- drm/radeon/kms: do bounds checking for 3D_LOAD_VBPNTR and bump array
limit
+ - TOMOYO: Fix oops in tomoyo_mount_acl() (CVE-2011-2518)
For the complete list of changes, see:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39.2
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-req.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-req.patch Mon Jul 4 05:49:30 2011 (r17795)
@@ -0,0 +1,30 @@
+Subject: [PATCH] Bluetooth: Prevent buffer overflow in l2cap config request
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: 2011-06-24 12:38:05
+
+A remote user can provide a small value for the command size field in
+the command header of an l2cap configuration request, resulting in an
+integer underflow when subtracting the size of the configuration request
+header. This results in copying a very large amount of data via
+memcpy() and destroying the kernel heap. Check for underflow.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+[bwh: Adjust for 2.6.39: replace chan with l2cap_pi(sk) or sk as appropriate]
+---
+ net/bluetooth/l2cap_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index e64a1c2..06ea272 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -2334,7 +2334,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/fs-partitions-efi.c-corrupted-GUID-partition-tables-.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/fs-partitions-efi.c-corrupted-GUID-partition-tables-.patch Mon Jul 4 05:49:30 2011 (r17795)
@@ -0,0 +1,61 @@
+From: Timo Warns <Warns at pre-sense.de>
+Date: Thu, 26 May 2011 16:25:57 -0700
+Subject: [PATCH] fs/partitions/efi.c: corrupted GUID partition tables can
+ cause kernel oops
+
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream.
+
+The kernel automatically evaluates partition tables of storage devices.
+The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+a bug that causes a kernel oops on certain corrupted GUID partition
+tables.
+
+This bug has security impacts, because it allows, for example, to
+prepare a storage device that crashes a kernel subsystem upon connecting
+the device (e.g., a "USB Stick of (Partial) Death").
+
+ crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+
+computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+There is no validation of (*gpt)->header_size before the efi_crc32 call.
+
+A corrupted partition table may have large values for (*gpt)->header_size.
+ In this case, the CRC32 computation access memory beyond the memory
+allocated for gpt, which may cause a kernel heap overflow.
+
+Validate value of GUID partition table header size.
+
+[akpm at linux-foundation.org: fix layout and indenting]
+Signed-off-by: Timo Warns <warns at pre-sense.de>
+Cc: Matt Domsch <Matt_Domsch at dell.com>
+Cc: Eugene Teo <eugeneteo at kernel.sg>
+Cc: Dave Jones <davej at codemonkey.org.uk>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/partitions/efi.c | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct parsed_partitions *state, u64 lba,
+ goto fail;
+ }
+
++ /* Check the GUID Partition Table header size */
++ if (le32_to_cpu((*gpt)->header_size) >
++ bdev_logical_block_size(state->bdev)) {
++ pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++ le32_to_cpu((*gpt)->header_size),
++ bdev_logical_block_size(state->bdev));
++ goto fail;
++ }
++
+ /* Check the GUID Partition Table CRC */
+ origcrc = le32_to_cpu((*gpt)->header_crc32);
+ (*gpt)->header_crc32 = 0;
+--
+1.7.5.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/inet_diag-fix-inet_diag_bc_audit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/inet_diag-fix-inet_diag_bc_audit.patch Mon Jul 4 05:49:30 2011 (r17795)
@@ -0,0 +1,75 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Fri, 17 Jun 2011 16:25:39 -0400
+Subject: [PATCH] inet_diag: fix inet_diag_bc_audit()
+
+commit eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d upstream.
+
+A malicious user or buggy application can inject code and trigger an
+infinite loop in inet_diag_bc_audit()
+
+Also make sure each instruction is aligned on 4 bytes boundary, to avoid
+unaligned accesses.
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/inet_diag.c | 14 ++++++--------
+ 1 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 6ffe94c..3267d38 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
+ return 0;
+ if (cc == len)
+ return 1;
+- if (op->yes < 4)
++ if (op->yes < 4 || op->yes & 3)
+ return 0;
+ len -= op->yes;
+ bc += op->yes;
+@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
+
+ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ {
+- const unsigned char *bc = bytecode;
++ const void *bc = bytecode;
+ int len = bytecode_len;
+
+ while (len > 0) {
+- struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
++ const struct inet_diag_bc_op *op = bc;
+
+ //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
+ switch (op->code) {
+@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ case INET_DIAG_BC_S_LE:
+ case INET_DIAG_BC_D_GE:
+ case INET_DIAG_BC_D_LE:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ case INET_DIAG_BC_JMP:
+- if (op->no < 4 || op->no > len + 4)
++ if (op->no < 4 || op->no > len + 4 || op->no & 3)
+ return -EINVAL;
+ if (op->no < len &&
+ !valid_cc(bytecode, bytecode_len, len - op->no))
+ return -EINVAL;
+ break;
+ case INET_DIAG_BC_NOP:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
++ if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
++ return -EINVAL;
+ bc += op->yes;
+ len -= op->yes;
+ }
+--
+1.7.5.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/ksm-fix-NULL-pointer-dereference-in-scan_get_next_rm.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/ksm-fix-NULL-pointer-dereference-in-scan_get_next_rm.patch Mon Jul 4 05:49:30 2011 (r17795)
@@ -0,0 +1,86 @@
+From: Hugh Dickins <hughd at google.com>
+Date: Wed, 15 Jun 2011 15:08:58 -0700
+Subject: [PATCH] ksm: fix NULL pointer dereference in
+ scan_get_next_rmap_item()
+
+commit 2b472611a32a72f4a118c069c2d62a1a3f087afd upstream.
+
+Andrea Righi reported a case where an exiting task can race against
+ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily
+triggering a NULL pointer dereference in ksmd.
+
+ksm_scan.mm_slot == &ksm_mm_head with only one registered mm
+
+CPU 1 (__ksm_exit) CPU 2 (scan_get_next_rmap_item)
+ list_empty() is false
+lock slot == &ksm_mm_head
+list_del(slot->mm_list)
+(list now empty)
+unlock
+ lock
+ slot = list_entry(slot->mm_list.next)
+ (list is empty, so slot is still ksm_mm_head)
+ unlock
+ slot->mm == NULL ... Oops
+
+Close this race by revalidating that the new slot is not simply the list
+head again.
+
+Andrea's test case:
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/mman.h>
+
+#define BUFSIZE getpagesize()
+
+int main(int argc, char **argv)
+{
+ void *ptr;
+
+ if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
+ perror("posix_memalign");
+ exit(1);
+ }
+ if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
+ perror("madvise");
+ exit(1);
+ }
+ *(char *)NULL = 0;
+
+ return 0;
+}
+
+Reported-by: Andrea Righi <andrea at betterlinux.com>
+Tested-by: Andrea Righi <andrea at betterlinux.com>
+Cc: Andrea Arcangeli <aarcange at redhat.com>
+Signed-off-by: Hugh Dickins <hughd at google.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/ksm.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index d708b3e..9a68b0c 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -1302,6 +1302,12 @@ static struct rmap_item *scan_get_next_rmap_item(struct page **page)
+ slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
+ ksm_scan.mm_slot = slot;
+ spin_unlock(&ksm_mmlist_lock);
++ /*
++ * Although we tested list_empty() above, a racing __ksm_exit
++ * of the last mm on the list may have removed it since then.
++ */
++ if (slot == &ksm_mm_head)
++ return NULL;
+ next_mm:
+ ksm_scan.address = 0;
+ ksm_scan.rmap_list = &slot->rmap_list;
+--
+1.7.5.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-.patch Mon Jul 4 05:49:30 2011 (r17795)
@@ -0,0 +1,81 @@
+From: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon, 27 Jun 2011 16:18:11 -0700
+Subject: [PATCH] taskstats: don't allow duplicate entries in listener mode
+
+commit 26c4caea9d697043cc5a458b96411b86d7f6babd upstream.
+
+Currently a single process may register exit handlers unlimited times.
+It may lead to a bloated listeners chain and very slow process
+terminations.
+
+Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
+kernel memory is stolen for the handlers chain and "time id" shows 2-7
+seconds instead of normal 0.003. It makes it possible to exhaust all
+kernel memory and to eat much of CPU time by triggerring numerous exits
+on a single CPU.
+
+The patch limits the number of times a single process may register
+itself on a single CPU to one.
+
+One little issue is kept unfixed - as taskstats_exit() is called before
+exit_files() in do_exit(), the orphaned listener entry (if it was not
+explicitly deregistered) is kept until the next someone's exit() and
+implicit deregistration in send_cpu_listeners(). So, if a process
+registered itself as a listener exits and the next spawned process gets
+the same pid, it would inherit taskstats attributes.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Cc: Balbir Singh <bsingharora at gmail.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/taskstats.c | 15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 9ffea36..fc0f220 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -285,16 +285,18 @@ ret:
+ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
+ {
+ struct listener_list *listeners;
+- struct listener *s, *tmp;
++ struct listener *s, *tmp, *s2;
+ unsigned int cpu;
+
+ if (!cpumask_subset(mask, cpu_possible_mask))
+ return -EINVAL;
+
++ s = NULL;
+ if (isadd == REGISTER) {
+ for_each_cpu(cpu, mask) {
+- s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
+- cpu_to_node(cpu));
++ if (!s)
++ s = kmalloc_node(sizeof(struct listener),
++ GFP_KERNEL, cpu_to_node(cpu));
+ if (!s)
+ goto cleanup;
+ s->pid = pid;
+@@ -303,9 +305,16 @@ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
+
+ listeners = &per_cpu(listener_array, cpu);
+ down_write(&listeners->sem);
++ list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
++ if (s2->pid == pid)
++ goto next_cpu;
++ }
+ list_add(&s->list, &listeners->list);
++ s = NULL;
++next_cpu:
+ up_write(&listeners->sem);
+ }
++ kfree(s);
+ return 0;
+ }
+
+--
+1.7.5.4
+
Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3 Mon Jul 4 05:23:38 2011 (r17794)
+++ dists/sid/linux-2.6/debian/patches/series/3 Mon Jul 4 05:49:30 2011 (r17795)
@@ -2,3 +2,8 @@
+ bugfix/all/stable/2.6.39.2
+ bugfix/arm/rtc-twl-Switch-to-using-threaded_irq.patch
+ bugfix/all/bridge-provide-a-cow_metrics-method-for-fake_ops.patch
++ bugfix/all/fs-partitions-efi.c-corrupted-GUID-partition-tables-.patch
++ bugfix/all/ksm-fix-NULL-pointer-dereference-in-scan_get_next_rm.patch
++ bugfix/all/inet_diag-fix-inet_diag_bc_audit.patch
++ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-req.patch
More information about the Kernel-svn-changes
mailing list