[kernel] r17412 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 16 00:58:06 UTC 2011
Author: dannf
Date: Mon May 16 00:58:05 2011
New Revision: 17412
Log:
* RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
* IB/cm: Bump reference count on cm_id before invoking callback
(CVE-2011-0695)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:57:58 2011 (r17411)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon May 16 00:58:05 2011 (r17412)
@@ -1,5 +1,6 @@
linux-2.6 (2.6.26-26lenny3) UNRELEASED; urgency=low
+ [ dann frazier ]
* net: clear heap allocations for privileged ethtool actions (CVE-2010-4655)
* xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
(CVE-2011-0711)
@@ -18,6 +19,9 @@
* ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172)
* econet: 4 byte infoleak to the network (CVE-2011-1173)
* irda: validate peer name and attribute lengths (CVE-2011-1180)
+ * RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
+ * IB/cm: Bump reference count on cm_id before invoking callback
+ (CVE-2011-0695)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch Mon May 16 00:58:05 2011 (r17412)
@@ -0,0 +1,39 @@
+commit d0d57ad143753293b2dfc52b13740234131c2f5d
+Author: Sean Hefty <sean.hefty at intel.com>
+Date: Wed Feb 23 08:17:40 2011 -0800
+
+ IB/cm: Bump reference count on cm_id before invoking callback
+
+ commit 29963437a48475036353b95ab142bf199adb909e upstream.
+
+ When processing a SIDR REQ, the ib_cm allocates a new cm_id. The
+ refcount of the cm_id is initialized to 1. However, cm_process_work
+ will decrement the refcount after invoking all callbacks. The result
+ is that the cm_id will end up with refcount set to 0 by the end of the
+ sidr req handler.
+
+ If a user tries to destroy the cm_id, the destruction will proceed,
+ under the incorrect assumption that no other threads are referencing
+ the cm_id. This can lead to a crash when the cm callback thread tries
+ to access the cm_id.
+
+ This problem was noticed as part of a larger investigation with kernel
+ crashes in the rdma_cm when running on a real time OS.
+
+ Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+ Acked-by: Doug Ledford <dledford at redhat.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index 922d35f..29deac3 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -2987,6 +2987,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
+ goto out; /* No match. */
+ }
+ atomic_inc(&cur_cm_id_priv->refcount);
++ atomic_inc(&cm_id_priv->refcount);
+ spin_unlock_irq(&cm.lock);
+
+ cm_id_priv->id.cm_handler = cur_cm_id_priv->id.cm_handler;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch Mon May 16 00:58:05 2011 (r17412)
@@ -0,0 +1,127 @@
+commit a7ba58c8eed0a01e565b7cd41c5bcad0eb671f8f
+Author: Sean Hefty <sean.hefty at intel.com>
+Date: Wed Feb 23 08:11:32 2011 -0800
+
+ RDMA/cma: Fix crash in request handlers
+
+ commit 25ae21a10112875763c18b385624df713a288a05 upstream.
+
+ Doug Ledford and Red Hat reported a crash when running the rdma_cm on
+ a real-time OS. The crash has the following call trace:
+
+ cm_process_work
+ cma_req_handler
+ cma_disable_callback
+ rdma_create_id
+ kzalloc
+ init_completion
+ cma_get_net_info
+ cma_save_net_info
+ cma_any_addr
+ cma_zero_addr
+ rdma_translate_ip
+ rdma_copy_addr
+ cma_acquire_dev
+ rdma_addr_get_sgid
+ ib_find_cached_gid
+ cma_attach_to_dev
+ ucma_event_handler
+ kzalloc
+ ib_copy_ah_attr_to_user
+ cma_comp
+
+ [ preempted ]
+
+ cma_write
+ copy_from_user
+ ucma_destroy_id
+ copy_from_user
+ _ucma_find_context
+ ucma_put_ctx
+ ucma_free_ctx
+ rdma_destroy_id
+ cma_exch
+ cma_cancel_operation
+ rdma_node_get_transport
+
+ rt_mutex_slowunlock
+ bad_area_nosemaphore
+ oops_enter
+
+ They were able to reproduce the crash multiple times with the
+ following details:
+
+ Crash seems to always happen on the:
+ mutex_unlock(&conn_id->handler_mutex);
+ as conn_id looks to have been freed during this code path.
+
+ An examination of the code shows that a race exists in the request
+ handlers. When a new connection request is received, the rdma_cm
+ allocates a new connection identifier. This identifier has a single
+ reference count on it. If a user calls rdma_destroy_id() from another
+ thread after receiving a callback, rdma_destroy_id will proceed to
+ destroy the id and free the associated memory. However, the request
+ handlers may still be in the process of running. When control returns
+ to the request handlers, they can attempt to access the newly created
+ identifiers.
+
+ Fix this by holding a reference on the newly created rdma_cm_id until
+ the request handler is through accessing it.
+
+ Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+ Acked-by: Doug Ledford <dledford at redhat.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/drivers/infiniband/core/cma.c linux-source-2.6.26/drivers/infiniband/core/cma.c
+--- linux-source-2.6.26.orig/drivers/infiniband/core/cma.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/infiniband/core/cma.c 2011-05-15 15:42:39.173354544 -0600
+@@ -1127,6 +1127,11 @@ static int cma_req_handler(struct ib_cm_
+ cm_id->context = conn_id;
+ cm_id->cm_handler = cma_ib_handler;
+
++ /*
++ * Protect against the user destroying conn_id from another thread
++ * until we're done accessing it.
++ */
++ atomic_inc(&conn_id->refcount);
+ ret = conn_id->id.event_handler(&conn_id->id, &event);
+ if (!ret) {
+ /*
+@@ -1139,8 +1144,10 @@ static int cma_req_handler(struct ib_cm_
+ ib_send_cm_mra(cm_id, CMA_CM_MRA_SETTING, NULL, 0);
+ mutex_unlock(&lock);
+ cma_enable_remove(conn_id);
++ cma_deref_id(conn_id);
+ goto out;
+ }
++ cma_deref_id(conn_id);
+
+ /* Destroy the CM ID by returning a non-zero value. */
+ conn_id->cm_id.ib = NULL;
+@@ -1342,15 +1349,23 @@ static int iw_conn_req_handler(struct iw
+ event.param.conn.private_data_len = iw_event->private_data_len;
+ event.param.conn.initiator_depth = attr.max_qp_init_rd_atom;
+ event.param.conn.responder_resources = attr.max_qp_rd_atom;
++
++ /*
++ * Protect against the user destroying conn_id from another thread
++ * until we're done accessing it.
++ */
++ atomic_inc(&conn_id->refcount);
+ ret = conn_id->id.event_handler(&conn_id->id, &event);
+ if (ret) {
+ /* User wants to destroy the CM ID */
+ conn_id->cm_id.iw = NULL;
+ cma_exch(conn_id, CMA_DESTROYING);
+ cma_enable_remove(conn_id);
++ cma_deref_id(conn_id);
+ rdma_destroy_id(&conn_id->id);
++ goto out;
+ }
+-
++ cma_deref_id(conn_id);
+ out:
+ if (dev)
+ dev_put(dev);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:57:58 2011 (r17411)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon May 16 00:58:05 2011 (r17412)
@@ -17,3 +17,5 @@
+ bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
+ bugfix/all/econet-4-byte-infoleak-to-the-network.patch
+ bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
++ bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
++ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
More information about the Kernel-svn-changes
mailing list