[kernel] r17412 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon May 16 00:58:06 UTC 2011 

Author: dannf
Date: Mon May 16 00:58:05 2011
New Revision: 17412

Log:
* RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
* IB/cm: Bump reference count on cm_id before invoking callback
  (CVE-2011-0695)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:57:58 2011	(r17411)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon May 16 00:58:05 2011	(r17412)
@@ -1,5 +1,6 @@
 linux-2.6 (2.6.26-26lenny3) UNRELEASED; urgency=low
 
+  [ dann frazier ]
   * net: clear heap allocations for privileged ethtool actions (CVE-2010-4655)
   * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
     (CVE-2011-0711)
@@ -18,6 +19,9 @@
   * ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172)
   * econet: 4 byte infoleak to the network (CVE-2011-1173)
   * irda: validate peer name and attribute lengths (CVE-2011-1180)
+  * RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
+  * IB/cm: Bump reference count on cm_id before invoking callback
+    (CVE-2011-0695)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch	Mon May 16 00:58:05 2011	(r17412)
@@ -0,0 +1,39 @@
+commit d0d57ad143753293b2dfc52b13740234131c2f5d
+Author: Sean Hefty <sean.hefty at intel.com>
+Date:   Wed Feb 23 08:17:40 2011 -0800
+
+    IB/cm: Bump reference count on cm_id before invoking callback
+    
+    commit 29963437a48475036353b95ab142bf199adb909e upstream.
+    
+    When processing a SIDR REQ, the ib_cm allocates a new cm_id.  The
+    refcount of the cm_id is initialized to 1.  However, cm_process_work
+    will decrement the refcount after invoking all callbacks.  The result
+    is that the cm_id will end up with refcount set to 0 by the end of the
+    sidr req handler.
+    
+    If a user tries to destroy the cm_id, the destruction will proceed,
+    under the incorrect assumption that no other threads are referencing
+    the cm_id.  This can lead to a crash when the cm callback thread tries
+    to access the cm_id.
+    
+    This problem was noticed as part of a larger investigation with kernel
+    crashes in the rdma_cm when running on a real time OS.
+    
+    Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+    Acked-by: Doug Ledford <dledford at redhat.com>
+    Signed-off-by: Roland Dreier <roland at purestorage.com>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index 922d35f..29deac3 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -2987,6 +2987,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
+ 		goto out; /* No match. */
+ 	}
+ 	atomic_inc(&cur_cm_id_priv->refcount);
++	atomic_inc(&cm_id_priv->refcount);
+ 	spin_unlock_irq(&cm.lock);
+ 
+ 	cm_id_priv->id.cm_handler = cur_cm_id_priv->id.cm_handler;

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch	Mon May 16 00:58:05 2011	(r17412)
@@ -0,0 +1,127 @@
+commit a7ba58c8eed0a01e565b7cd41c5bcad0eb671f8f
+Author: Sean Hefty <sean.hefty at intel.com>
+Date:   Wed Feb 23 08:11:32 2011 -0800
+
+    RDMA/cma: Fix crash in request handlers
+    
+    commit 25ae21a10112875763c18b385624df713a288a05 upstream.
+    
+    Doug Ledford and Red Hat reported a crash when running the rdma_cm on
+    a real-time OS.  The crash has the following call trace:
+    
+        cm_process_work
+           cma_req_handler
+              cma_disable_callback
+              rdma_create_id
+                 kzalloc
+                 init_completion
+              cma_get_net_info
+              cma_save_net_info
+              cma_any_addr
+                 cma_zero_addr
+              rdma_translate_ip
+                 rdma_copy_addr
+              cma_acquire_dev
+                 rdma_addr_get_sgid
+                 ib_find_cached_gid
+                 cma_attach_to_dev
+              ucma_event_handler
+                 kzalloc
+                 ib_copy_ah_attr_to_user
+              cma_comp
+    
+    [ preempted ]
+    
+        cma_write
+            copy_from_user
+            ucma_destroy_id
+               copy_from_user
+               _ucma_find_context
+               ucma_put_ctx
+               ucma_free_ctx
+                  rdma_destroy_id
+                     cma_exch
+                     cma_cancel_operation
+                     rdma_node_get_transport
+    
+            rt_mutex_slowunlock
+            bad_area_nosemaphore
+            oops_enter
+    
+    They were able to reproduce the crash multiple times with the
+    following details:
+    
+        Crash seems to always happen on the:
+                mutex_unlock(&conn_id->handler_mutex);
+        as conn_id looks to have been freed during this code path.
+    
+    An examination of the code shows that a race exists in the request
+    handlers.  When a new connection request is received, the rdma_cm
+    allocates a new connection identifier.  This identifier has a single
+    reference count on it.  If a user calls rdma_destroy_id() from another
+    thread after receiving a callback, rdma_destroy_id will proceed to
+    destroy the id and free the associated memory.  However, the request
+    handlers may still be in the process of running.  When control returns
+    to the request handlers, they can attempt to access the newly created
+    identifiers.
+    
+    Fix this by holding a reference on the newly created rdma_cm_id until
+    the request handler is through accessing it.
+    
+    Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+    Acked-by: Doug Ledford <dledford at redhat.com>
+    Signed-off-by: Roland Dreier <roland at purestorage.com>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/drivers/infiniband/core/cma.c linux-source-2.6.26/drivers/infiniband/core/cma.c
+--- linux-source-2.6.26.orig/drivers/infiniband/core/cma.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/infiniband/core/cma.c	2011-05-15 15:42:39.173354544 -0600
+@@ -1127,6 +1127,11 @@ static int cma_req_handler(struct ib_cm_
+ 	cm_id->context = conn_id;
+ 	cm_id->cm_handler = cma_ib_handler;
+ 
++	/*
++	 * Protect against the user destroying conn_id from another thread
++	 * until we're done accessing it.
++	 */
++	atomic_inc(&conn_id->refcount);
+ 	ret = conn_id->id.event_handler(&conn_id->id, &event);
+ 	if (!ret) {
+ 		/*
+@@ -1139,8 +1144,10 @@ static int cma_req_handler(struct ib_cm_
+ 			ib_send_cm_mra(cm_id, CMA_CM_MRA_SETTING, NULL, 0);
+ 		mutex_unlock(&lock);
+ 		cma_enable_remove(conn_id);
++		cma_deref_id(conn_id);
+ 		goto out;
+ 	}
++	cma_deref_id(conn_id);
+ 
+ 	/* Destroy the CM ID by returning a non-zero value. */
+ 	conn_id->cm_id.ib = NULL;
+@@ -1342,15 +1349,23 @@ static int iw_conn_req_handler(struct iw
+ 	event.param.conn.private_data_len = iw_event->private_data_len;
+ 	event.param.conn.initiator_depth = attr.max_qp_init_rd_atom;
+ 	event.param.conn.responder_resources = attr.max_qp_rd_atom;
++
++	/*
++	 * Protect against the user destroying conn_id from another thread
++	 * until we're done accessing it.
++	 */
++	atomic_inc(&conn_id->refcount);
+ 	ret = conn_id->id.event_handler(&conn_id->id, &event);
+ 	if (ret) {
+ 		/* User wants to destroy the CM ID */
+ 		conn_id->cm_id.iw = NULL;
+ 		cma_exch(conn_id, CMA_DESTROYING);
+ 		cma_enable_remove(conn_id);
++		cma_deref_id(conn_id);
+ 		rdma_destroy_id(&conn_id->id);
++		goto out;
+ 	}
+-
++	cma_deref_id(conn_id);
+ out:
+ 	if (dev)
+ 		dev_put(dev);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:57:58 2011	(r17411)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon May 16 00:58:05 2011	(r17412)
@@ -17,3 +17,5 @@
 + bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
 + bugfix/all/econet-4-byte-infoleak-to-the-network.patch
 + bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
++ bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
++ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch

More information about the Kernel-svn-changes mailing list