[kernel] r17132 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Mar 27 22:42:11 UTC 2011
Author: dannf
Date: Sun Mar 27 22:42:10 2011
New Revision: 17132
Log:
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
(CVE-2011-1090)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/32
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sun Mar 27 22:16:15 2011 (r17131)
+++ dists/squeeze/linux-2.6/debian/changelog Sun Mar 27 22:42:10 2011 (r17132)
@@ -51,6 +51,8 @@
* Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
* Bluetooth: bnep: fix buffer overflow (CVE-2010-1079)
* bridge: netfilter: fix information leak (CVE-2011-1080)
+ * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
+ (CVE-2011-1090)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 12 Mar 2011 20:20:58 +0000
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch Sun Mar 27 22:42:10 2011 (r17132)
@@ -0,0 +1,25 @@
+commit 43b7c3f051dea504afccc39bcb56d8e26c2e0b77
+Author: Jovi Zhang <bookjovi at gmail.com>
+Date: Wed Mar 2 23:19:37 2011 +0000
+
+ nfs: fix compilation warning
+
+ this commit fix compilation warning as following:
+ linux-2.6/fs/nfs/nfs4proc.c:3265: warning: comparison of distinct pointer types lacks a cast
+
+ Signed-off-by: Jovi Zhang <bookjovi at gmail.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index d1ed671..b07d4e2 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3262,7 +3262,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
+ spages = pages;
+
+ do {
+- len = min(PAGE_CACHE_SIZE, buflen);
++ len = min_t(size_t, PAGE_CACHE_SIZE, buflen);
+ newpage = alloc_page(GFP_KERNEL);
+
+ if (newpage == NULL)
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch Sun Mar 27 22:42:10 2011 (r17132)
@@ -0,0 +1,143 @@
+commit e9e3d724e2145f5039b423c290ce2b2c3d8f94bc
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Fri Mar 4 19:26:03 2011 -0500
+
+ nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
+
+ The "bad_page()" page allocator sanity check was reported recently (call
+ chain as follows):
+
+ bad_page+0x69/0x91
+ free_hot_cold_page+0x81/0x144
+ skb_release_data+0x5f/0x98
+ __kfree_skb+0x11/0x1a
+ tcp_ack+0x6a3/0x1868
+ tcp_rcv_established+0x7a6/0x8b9
+ tcp_v4_do_rcv+0x2a/0x2fa
+ tcp_v4_rcv+0x9a2/0x9f6
+ do_timer+0x2df/0x52c
+ ip_local_deliver+0x19d/0x263
+ ip_rcv+0x539/0x57c
+ netif_receive_skb+0x470/0x49f
+ :virtio_net:virtnet_poll+0x46b/0x5c5
+ net_rx_action+0xac/0x1b3
+ __do_softirq+0x89/0x133
+ call_softirq+0x1c/0x28
+ do_softirq+0x2c/0x7d
+ do_IRQ+0xec/0xf5
+ default_idle+0x0/0x50
+ ret_from_intr+0x0/0xa
+ default_idle+0x29/0x50
+ cpu_idle+0x95/0xb8
+ start_kernel+0x220/0x225
+ _sinittext+0x22f/0x236
+
+ It occurs because an skb with a fraglist was freed from the tcp
+ retransmit queue when it was acked, but a page on that fraglist had
+ PG_Slab set (indicating it was allocated from the Slab allocator (which
+ means the free path above can't safely free it via put_page.
+
+ We tracked this back to an nfsv4 setacl operation, in which the nfs code
+ attempted to fill convert the passed in buffer to an array of pages in
+ __nfs4_proc_set_acl, which gets used by the skb->frags list in
+ xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer
+ to a page struct via virt_to_page, but the vfs allocates the buffer via
+ kmalloc, meaning the PG_slab bit is set. We can't create a buffer with
+ kmalloc and free it later in the tcp ack path with put_page, so we need
+ to either:
+
+ 1) ensure that when we create the list of pages, no page struct has
+ PG_Slab set
+
+ or
+
+ 2) not use a page list to send this data
+
+ Given that these buffers can be multiple pages and arbitrarily sized, I
+ think (1) is the right way to go. I've written the below patch to
+ allocate a page from the buddy allocator directly and copy the data over
+ to it. This ensures that we have a put_page free-able page for every
+ entry that winds up on an skb frag list, so it can be safely freed when
+ the frame is acked. We do a put page on each entry after the
+ rpc_call_sync call so as to drop our own reference count to the page,
+ leaving only the ref count taken by tcp_sendpages. This way the data
+ will be properly freed when the ack comes in
+
+ Successfully tested by myself to solve the above oops.
+
+ Note, as this is the result of a setacl operation that exceeded a page
+ of data, I think this amounts to a local DOS triggerable by an
+ uprivlidged user, so I'm CCing security on this as well.
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ CC: Trond Myklebust <Trond.Myklebust at netapp.com>
+ CC: security at kernel.org
+ CC: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/nfs/nfs4proc.c linux-source-2.6.32/fs/nfs/nfs4proc.c
+--- linux-source-2.6.32.orig/fs/nfs/nfs4proc.c 2011-03-06 19:33:19.000000000 -0700
++++ linux-source-2.6.32/fs/nfs/nfs4proc.c 2011-03-27 16:27:32.864330334 -0600
+@@ -3133,6 +3133,35 @@ static void buf_to_pages(const void *buf
+ }
+ }
+
++static int buf_to_pages_noslab(const void *buf, size_t buflen,
++ struct page **pages, unsigned int *pgbase)
++{
++ struct page *newpage, **spages;
++ int rc = 0;
++ size_t len;
++ spages = pages;
++
++ do {
++ len = min(PAGE_CACHE_SIZE, buflen);
++ newpage = alloc_page(GFP_KERNEL);
++
++ if (newpage == NULL)
++ goto unwind;
++ memcpy(page_address(newpage), buf, len);
++ buf += len;
++ buflen -= len;
++ *pages++ = newpage;
++ rc++;
++ } while (buflen != 0);
++
++ return rc;
++
++unwind:
++ for(; rc > 0; rc--)
++ __free_page(spages[rc-1]);
++ return -ENOMEM;
++}
++
+ struct nfs4_cached_acl {
+ int cached;
+ size_t len;
+@@ -3299,13 +3328,23 @@ static int __nfs4_proc_set_acl(struct in
+ .rpc_argp = &arg,
+ .rpc_resp = &res,
+ };
+- int ret;
++ int ret, i;
+
+ if (!nfs4_server_supports_acls(server))
+ return -EOPNOTSUPP;
++ i = buf_to_pages_noslab(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
++ if (i < 0)
++ return i;
+ nfs_inode_return_delegation(inode);
+- buf_to_pages(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
+ ret = nfs4_call_sync(server, &msg, &arg, &res, 1);
++
++ /*
++ * Free each page after tx, so the only ref left is
++ * held by the network stack
++ */
++ for (; i > 0; i--)
++ put_page(pages[i-1]);
++
+ nfs_access_zap_cache(inode);
+ nfs_zap_acl_cache(inode);
+ return ret;
Modified: dists/squeeze/linux-2.6/debian/patches/series/32
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/32 Sun Mar 27 22:16:15 2011 (r17131)
+++ dists/squeeze/linux-2.6/debian/patches/series/32 Sun Mar 27 22:42:10 2011 (r17132)
@@ -18,3 +18,5 @@
+ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
+ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
+ bugfix/all/bridge-netfilter-fix-information-leak.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
More information about the Kernel-svn-changes
mailing list