[kernel] r17644 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Jun 11 14:23:03 UTC 2011 

Author: dannf
Date: Sat Jun 11 14:23:02 2011
New Revision: 17644

Log:
tunnels: fix netns vs proto registration ordering (CVE-2011-1768)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/35

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Sat Jun 11 14:22:53 2011	(r17643)
+++ dists/squeeze/linux-2.6/debian/changelog	Sat Jun 11 14:23:02 2011	(r17644)
@@ -36,6 +36,7 @@
 
   [ dann frazier ]
   * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
+  * tunnels: fix netns vs proto registration ordering (CVE-2011-1768)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 04 May 2011 01:44:34 +0100
 

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch	Sat Jun 11 14:23:02 2011	(r17644)
@@ -0,0 +1,160 @@
+commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date:   Tue Feb 16 09:05:04 2010 +0000
+
+    tunnels: fix netns vs proto registration ordering
+    
+    Same stuff as in ip_gre patch: receive hook can be called before netns
+    setup is done, oopsing in net_generic().
+    
+    Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/ipv4/ipip.c linux-source-2.6.26/net/ipv4/ipip.c
+--- linux-source-2.6.26.orig/net/ipv4/ipip.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv4/ipip.c	2011-06-09 20:08:37.464943595 -0600
+@@ -842,15 +842,14 @@ static int __init ipip_init(void)
+ 
+ 	printk(banner);
+ 
+-	if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
++	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
++	if (err < 0)
++		return err;
++	err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++	if (err < 0) {
++		unregister_pernet_device(&ipip_net_ops);
+ 		printk(KERN_INFO "ipip init: can't register tunnel\n");
+-		return -EAGAIN;
+ 	}
+-
+-	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
+-	if (err)
+-		xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+-
+ 	return err;
+ }
+ 
+diff -urpN linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.26/net/ipv6/ip6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/ip6_tunnel.c	2011-06-09 20:13:03.276239292 -0600
+@@ -1489,27 +1489,29 @@ static int __init ip6_tunnel_init(void)
+ {
+ 	int  err;
+ 
+-	if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) {
++	err = register_pernet_device(&ip6_tnl_net_ops);
++	if (err < 0)
++		goto out_pernet;
++
++	err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET);
++	if (err < 0) {
+ 		printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n");
+-		err = -EAGAIN;
+-		goto out;
++		goto out_ip4ip6;
+ 	}
+ 
+-	if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) {
++	err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6);
++	if (err < 0) {
+ 		printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n");
+-		err = -EAGAIN;
+-		goto unreg_ip4ip6;
++		goto out_ip6ip6;
+ 	}
+ 
+-	err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+-	if (err < 0)
+-		goto err_pernet;
+ 	return 0;
+-err_pernet:
+-	xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6);
+-unreg_ip4ip6:
++
++out_ip6ip6:
+ 	xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
+-out:
++out_ip4ip6:
++	unregister_pernet_device(&ip6_tnl_net_ops);
++out_pernet:
+ 	return err;
+ }
+ 
+diff -urpN linux-source-2.6.26.orig/net/ipv6/sit.c linux-source-2.6.26/net/ipv6/sit.c
+--- linux-source-2.6.26.orig/net/ipv6/sit.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/sit.c	2011-06-09 20:09:47.285806826 -0600
+@@ -1082,15 +1082,14 @@ static int __init sit_init(void)
+ 
+ 	printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n");
+ 
+-	if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) {
+-		printk(KERN_INFO "sit init: Can't add protocol\n");
+-		return -EAGAIN;
+-	}
+-
+ 	err = register_pernet_gen_device(&sit_net_id, &sit_net_ops);
+ 	if (err < 0)
+-		xfrm4_tunnel_deregister(&sit_handler, AF_INET6);
+-
++		return err;
++	err = xfrm4_tunnel_register(&sit_handler, AF_INET6);
++	if (err < 0) {
++		unregister_pernet_device(&sit_net_ops);
++		printk(KERN_INFO "sit init: Can't add protocol\n");
++	}
+ 	return err;
+ }
+ 
+diff -urpN linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c	2011-06-09 21:11:53.125828225 -0600
++++ linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c	2011-06-09 21:20:18.328528733 -0600
+@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void
+ {
+ 	int rv;
+ 
+-	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++	rv = xfrm6_tunnel_spi_init();
+ 	if (rv < 0)
+ 		goto err;
++	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++	if (rv < 0)
++		goto out_type;
+ 	rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
+ 	if (rv < 0)
+-		goto unreg;
++		goto out_xfrm6;
+ 	rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
+ 	if (rv < 0)
+-		goto dereg6;
+-	rv = xfrm6_tunnel_spi_init();
+-	if (rv < 0)
+-		goto dereg46;
++		goto out_xfrm46;
+ 	return 0;
+ 
+-dereg46:
+-	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+-dereg6:
++out_xfrm46:
+ 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-unreg:
++out_xfrm6:
+ 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++out_type:
++	xfrm6_tunnel_spi_fini();
+ err:
+ 	return rv;
+ }
+ 
+ static void __exit xfrm6_tunnel_fini(void)
+ {
+-	xfrm6_tunnel_spi_fini();
+ 	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+ 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+ 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++	xfrm6_tunnel_spi_fini();
+ }
+ 
+ module_init(xfrm6_tunnel_init);

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch	Sat Jun 11 14:23:02 2011	(r17644)
@@ -0,0 +1,54 @@
+commit 5ce1bbb97bf1e6707102d30499e7feaa1e6a2134
+Author: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+Date:   Sun Dec 14 23:13:48 2008 -0800
+
+    xfrm6_tunnel: join error paths using goto
+    
+    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index c2b2781..80193db 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -345,24 +345,23 @@ static struct xfrm6_tunnel xfrm46_tunnel_handler = {
+ static int __init xfrm6_tunnel_init(void)
+ {
+ 	if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
+-		return -EAGAIN;
+-
+-	if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6)) {
+-		xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+-		return -EAGAIN;
+-	}
+-	if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET)) {
+-		xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-		xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+-		return -EAGAIN;
+-	}
+-	if (xfrm6_tunnel_spi_init() < 0) {
+-		xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+-		xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-		xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+-		return -EAGAIN;
+-	}
++		goto err;
++	if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
++		goto unreg;
++	if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
++		goto dereg6;
++	if (xfrm6_tunnel_spi_init() < 0)
++		goto dereg46;
+ 	return 0;
++
++dereg46:
++	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
++dereg6:
++	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
++unreg:
++	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++err:
++	return -EAGAIN;
+ }
+ 
+ static void __exit xfrm6_tunnel_fini(void)

Modified: dists/squeeze/linux-2.6/debian/patches/series/35
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/35	Sat Jun 11 14:22:53 2011	(r17643)
+++ dists/squeeze/linux-2.6/debian/patches/series/35	Sat Jun 11 14:23:02 2011	(r17644)
@@ -264,3 +264,5 @@
 + bugfix/all/slub-Revert-PARISC-slub-fix-panic-with-DISCONTIGMEM.patch
 + bugfix/x86/x86-amd-do-not-enable-arat-feature-on-amd-processors-below.patch
 + bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
++ bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
++ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch

More information about the Kernel-svn-changes mailing list