[kernel] r19347 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/features/all/openvz patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Aug 20 03:16:41 UTC 2012
Author: benh
Date: Mon Aug 20 03:16:35 2012
New Revision: 19347
Log:
Add miscellaneous security fixes
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 20 02:39:57 2012 (r19346)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 20 03:16:35 2012 (r19347)
@@ -1,5 +1,6 @@
linux-2.6 (2.6.32-45squeeze1) UNRELEASED; urgency=low
+ [ dann frazier ]
* net: sock: validate data_len before allocating skb in
sock_alloc_send_pskb() (CVE-2012-2136)
* dl2k: Clean up rio_ioctl, add missing CAP_NET_ADMIN checks (CVE-2012-2313)
@@ -9,6 +10,12 @@
* cred: copy_process() should clear child->replacement_session_keyring
(CVE-2012-2745)
+ [ Ben Hutchings ]
+ * tcp: Don't change unlocked socket state in tcp_v4_err(). (Closes: #685087)
+ * locks: fix checking of fcntl_setlease argument
+ * sfc: Fix maximum number of TSO segments and minimum TX queue size
+ (CVE-2012-3412)
+
-- dann frazier <dannf at debian.org> Tue, 12 Jun 2012 16:56:29 -0600
linux-2.6 (2.6.32-45) stable; urgency=high
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch Mon Aug 20 03:16:35 2012 (r19347)
@@ -0,0 +1,52 @@
+From: "J. Bruce Fields" <bfields at fieldses.org>
+Date: Mon, 23 Jul 2012 15:17:17 -0400
+Subject: locks: fix checking of fcntl_setlease argument
+
+commit 0ec4f431eb56d633da3a55da67d5c4b88886ccc7 upstream.
+
+The only checks of the long argument passed to fcntl(fd,F_SETLEASE,.)
+are done after converting the long to an int. Thus some illegal values
+may be let through and cause problems in later code.
+
+[ They actually *don't* cause problems in mainline, as of Dave Jones's
+ commit 8d657eb3b438 "Remove easily user-triggerable BUG from
+ generic_setlease", but we should fix this anyway. And this patch will
+ be necessary to fix real bugs on earlier kernels. ]
+
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/locks.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/locks.c b/fs/locks.c
+index fce6238..82c3533 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -308,7 +308,7 @@ static int flock_make_lock(struct file *filp, struct file_lock **lock,
+ return 0;
+ }
+
+-static int assign_type(struct file_lock *fl, int type)
++static int assign_type(struct file_lock *fl, long type)
+ {
+ switch (type) {
+ case F_RDLCK:
+@@ -445,7 +445,7 @@ static const struct lock_manager_operations lease_manager_ops = {
+ /*
+ * Initialize a lease, use the default lock manager operations
+ */
+-static int lease_init(struct file *filp, int type, struct file_lock *fl)
++static int lease_init(struct file *filp, long type, struct file_lock *fl)
+ {
+ if (assign_type(fl, type) != 0)
+ return -EINVAL;
+@@ -463,7 +463,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
+ }
+
+ /* Allocate a file_lock initialised to this type of lease */
+-static struct file_lock *lease_alloc(struct file *filp, int type)
++static struct file_lock *lease_alloc(struct file *filp, long type)
+ {
+ struct file_lock *fl = locks_alloc_lock();
+ int error = -ENOMEM;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch Mon Aug 20 03:16:35 2012 (r19347)
@@ -0,0 +1,68 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: sfc: Fix maximum number of TSO segments and minimum TX queue size
+
+This is related to commit 7e6d06f0de3f74ca929441add094518ae332257c
+upstream, but looks very different because:
+
+- TX queue size was constant before 2.6.37, so we don't need to check it
+- The upstream fix relies on changes to the TCP stack and networking
+ core, which are not appropriate for stable updates. Instead we limit
+ number of segments in efx_enqueue_skb_tso(). This effectively drops
+ all the extra packets and seriously hurts TCP throughput if the limit
+ is ever hit, but this shouldn't affect any legitimate traffic.
+
+The original commit message is:
+
+Currently an skb requiring TSO may not fit within a minimum-size TX
+queue. The TX queue selected for the skb may stall and trigger the TX
+watchdog repeatedly (since the problem skb will be retried after the
+TX reset). This issue is designated as CVE-2012-3412.
+
+Set the maximum number of TSO segments for our devices to 100. This
+should make no difference to behaviour unless the actual MSS is less
+than about 700. Increase the minimum TX queue size accordingly to
+allow for 2 worst-case skbs, so that there will definitely be space
+to add an skb after we wake a queue.
+
+To avoid invalidating existing configurations, change
+efx_ethtool_set_ringparam() to fix up values that are too small rather
+than returning -EINVAL.
+
+Signed-off-by: Ben Hutchings <bhutchings at solarflare.com>
+---
+--- a/drivers/net/sfc/efx.h
++++ b/drivers/net/sfc/efx.h
+@@ -39,6 +39,9 @@ extern void efx_release_tx_buffers(struc
+ extern void efx_wake_queue(struct efx_nic *efx);
+ #define EFX_TXQ_SIZE 1024
+ #define EFX_TXQ_MASK (EFX_TXQ_SIZE - 1)
++
++/* Maximum number of TCP segments we support for soft-TSO */
++#define EFX_TSO_MAX_SEGS 100
+
+ /* RX */
+ extern int efx_probe_rx_queue(struct efx_rx_queue *rx_queue);
+--- a/drivers/net/sfc/tx.c
++++ b/drivers/net/sfc/tx.c
+@@ -1053,6 +1053,21 @@ static int efx_enqueue_skb_tso(struct ef
+ int frag_i, rc, rc2 = NETDEV_TX_OK;
+ struct tso_state state;
+
++ /* Since the stack does not limit the number of segments per
++ * skb, we must do so. Otherwise an attacker may be able to
++ * make the TCP produce skbs that will never fit in our TX
++ * queue, causing repeated resets.
++ */
++ if (unlikely(skb_shinfo(skb)->gso_segs > EFX_TSO_MAX_SEGS)) {
++ unsigned int excess =
++ (skb_shinfo(skb)->gso_segs - EFX_TSO_MAX_SEGS) *
++ skb_shinfo(skb)->gso_size;
++ if (__pskb_trim(skb, skb->len - excess)) {
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
++ }
++ }
++
+ /* Find the packet protocol and sanity-check it */
+ state.protocol = efx_tso_check_protocol(skb);
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch Mon Aug 20 03:16:35 2012 (r19347)
@@ -0,0 +1,53 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 12 Nov 2010 13:35:00 -0800
+Subject: tcp: Don't change unlocked socket state in tcp_v4_err().
+
+commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d upstream.
+
+Alexey Kuznetsov noticed a regression introduced by
+commit f1ecd5d9e7366609d640ff4040304ea197fbc618
+("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
+
+The RTO and timer modification code added to tcp_v4_err()
+doesn't check sock_owned_by_user(), which if true means we
+don't have exclusive access to the socket and therefore cannot
+modify it's critical state.
+
+Just skip this new code block if sock_owned_by_user() is true
+and eliminate the now superfluous sock_owned_by_user() code
+block contained within.
+
+Reported-by: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+CC: Damian Lukowski <damian at tvk.rwth-aachen.de>
+Acked-by: Eric Dumazet <eric.dumazet at gmail.com>
+---
+ net/ipv4/tcp_ipv4.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 8f8527d..69ccbc1 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ !icsk->icsk_backoff)
+ break;
+
++ if (sock_owned_by_user(sk))
++ break;
++
+ icsk->icsk_backoff--;
+ inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
+ icsk->icsk_backoff;
+@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ if (remaining) {
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ remaining, TCP_RTO_MAX);
+- } else if (sock_owned_by_user(sk)) {
+- /* RTO revert clocked out retransmission,
+- * but socket is locked. Will defer. */
+- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+- HZ/20, TCP_RTO_MAX);
+ } else {
+ /* RTO revert clocked out retransmission.
+ * Will retransmit now */
Modified: dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Aug 20 02:39:57 2012 (r19346)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Aug 20 03:16:35 2012 (r19347)
@@ -6541,6 +6541,9 @@
[bwh: Fix context for changes to sock_alloc_send_psbk() after commit
cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ('net: sock: validate data_len
before allocating skb in sock_alloc_send_pskb()')]
+[bwh: Fix context for changes to lease_alloc() after commit
+ 79549c6dfda0603dba9a70a53467ce62d9335c33 ('cred: copy_process() should
+ clear child->replacement_session_keyring')]
diff --git a/COPYING.Parallels b/COPYING.Parallels
new file mode 100644
@@ -18325,7 +18328,7 @@
@@ -464,7 +483,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
/* Allocate a file_lock initialised to this type of lease */
- static struct file_lock *lease_alloc(struct file *filp, int type)
+ static struct file_lock *lease_alloc(struct file *filp, long type)
{
- struct file_lock *fl = locks_alloc_lock();
+ struct file_lock *fl = locks_alloc_lock(1);
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Mon Aug 20 02:39:57 2012 (r19346)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Mon Aug 20 03:16:35 2012 (r19347)
@@ -5,3 +5,6 @@
+ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
+ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
+ bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
++ bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
++ bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
++ bugfix/all/sfc-Fix-maximum-number-of-TSO-segments-and-minimum-T.patch
\ No newline at end of file
More information about the Kernel-svn-changes
mailing list