[kernel] r17644 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jun 11 14:23:03 UTC 2011
Author: dannf
Date: Sat Jun 11 14:23:02 2011
New Revision: 17644
Log:
tunnels: fix netns vs proto registration ordering (CVE-2011-1768)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/35
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sat Jun 11 14:22:53 2011 (r17643)
+++ dists/squeeze/linux-2.6/debian/changelog Sat Jun 11 14:23:02 2011 (r17644)
@@ -36,6 +36,7 @@
[ dann frazier ]
* efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
+ * tunnels: fix netns vs proto registration ordering (CVE-2011-1768)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 04 May 2011 01:44:34 +0100
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch Sat Jun 11 14:23:02 2011 (r17644)
@@ -0,0 +1,160 @@
+commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date: Tue Feb 16 09:05:04 2010 +0000
+
+ tunnels: fix netns vs proto registration ordering
+
+ Same stuff as in ip_gre patch: receive hook can be called before netns
+ setup is done, oopsing in net_generic().
+
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/ipv4/ipip.c linux-source-2.6.26/net/ipv4/ipip.c
+--- linux-source-2.6.26.orig/net/ipv4/ipip.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv4/ipip.c 2011-06-09 20:08:37.464943595 -0600
+@@ -842,15 +842,14 @@ static int __init ipip_init(void)
+
+ printk(banner);
+
+- if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
++ err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
++ if (err < 0)
++ return err;
++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++ if (err < 0) {
++ unregister_pernet_device(&ipip_net_ops);
+ printk(KERN_INFO "ipip init: can't register tunnel\n");
+- return -EAGAIN;
+ }
+-
+- err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
+- if (err)
+- xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+-
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.26/net/ipv6/ip6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/ip6_tunnel.c 2011-06-09 20:13:03.276239292 -0600
+@@ -1489,27 +1489,29 @@ static int __init ip6_tunnel_init(void)
+ {
+ int err;
+
+- if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) {
++ err = register_pernet_device(&ip6_tnl_net_ops);
++ if (err < 0)
++ goto out_pernet;
++
++ err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET);
++ if (err < 0) {
+ printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n");
+- err = -EAGAIN;
+- goto out;
++ goto out_ip4ip6;
+ }
+
+- if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) {
++ err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6);
++ if (err < 0) {
+ printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n");
+- err = -EAGAIN;
+- goto unreg_ip4ip6;
++ goto out_ip6ip6;
+ }
+
+- err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+- if (err < 0)
+- goto err_pernet;
+ return 0;
+-err_pernet:
+- xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6);
+-unreg_ip4ip6:
++
++out_ip6ip6:
+ xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
+-out:
++out_ip4ip6:
++ unregister_pernet_device(&ip6_tnl_net_ops);
++out_pernet:
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/sit.c linux-source-2.6.26/net/ipv6/sit.c
+--- linux-source-2.6.26.orig/net/ipv6/sit.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/sit.c 2011-06-09 20:09:47.285806826 -0600
+@@ -1082,15 +1082,14 @@ static int __init sit_init(void)
+
+ printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n");
+
+- if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) {
+- printk(KERN_INFO "sit init: Can't add protocol\n");
+- return -EAGAIN;
+- }
+-
+ err = register_pernet_gen_device(&sit_net_id, &sit_net_ops);
+ if (err < 0)
+- xfrm4_tunnel_deregister(&sit_handler, AF_INET6);
+-
++ return err;
++ err = xfrm4_tunnel_register(&sit_handler, AF_INET6);
++ if (err < 0) {
++ unregister_pernet_device(&sit_net_ops);
++ printk(KERN_INFO "sit init: Can't add protocol\n");
++ }
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c 2011-06-09 21:11:53.125828225 -0600
++++ linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c 2011-06-09 21:20:18.328528733 -0600
+@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void
+ {
+ int rv;
+
+- rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++ rv = xfrm6_tunnel_spi_init();
+ if (rv < 0)
+ goto err;
++ rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++ if (rv < 0)
++ goto out_type;
+ rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
+ if (rv < 0)
+- goto unreg;
++ goto out_xfrm6;
+ rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
+ if (rv < 0)
+- goto dereg6;
+- rv = xfrm6_tunnel_spi_init();
+- if (rv < 0)
+- goto dereg46;
++ goto out_xfrm46;
+ return 0;
+
+-dereg46:
+- xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+-dereg6:
++out_xfrm46:
+ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-unreg:
++out_xfrm6:
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++out_type:
++ xfrm6_tunnel_spi_fini();
+ err:
+ return rv;
+ }
+
+ static void __exit xfrm6_tunnel_fini(void)
+ {
+- xfrm6_tunnel_spi_fini();
+ xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++ xfrm6_tunnel_spi_fini();
+ }
+
+ module_init(xfrm6_tunnel_init);
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch Sat Jun 11 14:23:02 2011 (r17644)
@@ -0,0 +1,54 @@
+commit 5ce1bbb97bf1e6707102d30499e7feaa1e6a2134
+Author: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+Date: Sun Dec 14 23:13:48 2008 -0800
+
+ xfrm6_tunnel: join error paths using goto
+
+ Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index c2b2781..80193db 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -345,24 +345,23 @@ static struct xfrm6_tunnel xfrm46_tunnel_handler = {
+ static int __init xfrm6_tunnel_init(void)
+ {
+ if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
+- return -EAGAIN;
+-
+- if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6)) {
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
+- if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET)) {
+- xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
+- if (xfrm6_tunnel_spi_init() < 0) {
+- xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+- xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
++ goto err;
++ if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
++ goto unreg;
++ if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
++ goto dereg6;
++ if (xfrm6_tunnel_spi_init() < 0)
++ goto dereg46;
+ return 0;
++
++dereg46:
++ xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
++dereg6:
++ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
++unreg:
++ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++err:
++ return -EAGAIN;
+ }
+
+ static void __exit xfrm6_tunnel_fini(void)
Modified: dists/squeeze/linux-2.6/debian/patches/series/35
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/35 Sat Jun 11 14:22:53 2011 (r17643)
+++ dists/squeeze/linux-2.6/debian/patches/series/35 Sat Jun 11 14:23:02 2011 (r17644)
@@ -264,3 +264,5 @@
+ bugfix/all/slub-Revert-PARISC-slub-fix-panic-with-DISCONTIGMEM.patch
+ bugfix/x86/x86-amd-do-not-enable-arat-feature-on-amd-processors-below.patch
+ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
++ bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
++ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
More information about the Kernel-svn-changes
mailing list