[kernel] r18841 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Wed Mar 14 04:48:39 UTC 2012
Author: benh
Date: Wed Mar 14 04:48:32 2012
New Revision: 18841
Log:
Apply some of the most important security fixes from 2.6.32.{55,56,57,58}
Unfortunately these are missing CVE IDs.
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 02:52:34 2012 (r18840)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 04:48:32 2012 (r18841)
@@ -1,9 +1,19 @@
linux-2.6 (2.6.32-41squeeze1) UNRELEASED; urgency=high
+ [ dann frazier ]
* ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
* ecryptfs: Add mount option to check uid of device being mounted =
expect uid (CVE-2011-1833)
+ [ Ben Hutchings ]
+ * V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+ * drm: Fix authentication kernel crash
+ * relay: prevent integer overflow in relay_open()
+ * Further refine the fix for CVE-2011-4127:
+ - sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD
+ - kernel.h: fix wrong usage of __ratelimit()
+ - printk_ratelimited(): fix uninitialized spinlock
+
-- dann frazier <dannf at debian.org> Tue, 13 Mar 2012 19:04:18 -0600
linux-2.6 (2.6.32-41) stable; urgency=low
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,62 @@
+From 537400450bd43daf3f99efe35efd0ccaf16f38b1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Thu, 5 Jan 2012 02:27:57 -0300
+Subject: [PATCH] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
+
+commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
+
+If ctrls->count is too high the multiplication could overflow and
+array_size would be lower than expected. Mauro and Hans Verkuil
+suggested that we cap it at 1024. That comes from the maximum
+number of controls with lots of room for expantion.
+
+$ grep V4L2_CID include/linux/videodev2.h | wc -l
+211
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/media/video/v4l2-ioctl.c | 6 ++++++
+ include/linux/videodev2.h | 1 +
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index 265bfb5..d7332c7 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
+ p->error_idx = p->count;
+ user_ptr = (void __user *)p->controls;
+ if (p->count) {
++ err = -EINVAL;
++ if (p->count > V4L2_CID_MAX_CTRLS)
++ goto out_ext_ctrl;
+ ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
+ p->error_idx = p->count;
+ user_ptr = (void __user *)p->controls;
+ if (p->count) {
++ err = -EINVAL;
++ if (p->count > V4L2_CID_MAX_CTRLS)
++ goto out_ext_ctrl;
+ ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
+ /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
+ mbuf = kmalloc(ctrls_size, GFP_KERNEL);
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index b59e78c..9e2088c 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -858,6 +858,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
+
+ /* User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS 1024
+ #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE V4L2_CID_BASE
+ /* IDs reserved for driver specific controls */
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/drm-Fix-authentication-kernel-crash.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,91 @@
+From 26487be3d861e50dcfd4b19199e3c206d3700678 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom at vmware.com>
+Date: Tue, 24 Jan 2012 18:54:21 +0100
+Subject: [PATCH] drm: Fix authentication kernel crash
+
+commit 598781d71119827b454fd75d46f84755bca6f0c6 upstream.
+
+If the master tries to authenticate a client using drm_authmagic and
+that client has already closed its drm file descriptor,
+either wilfully or because it was terminated, the
+call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
+and corrupt it.
+
+Typically this results in a hard system hang.
+
+This patch fixes that problem by removing any authentication tokens
+(struct drm_magic_entry) open for a file descriptor when that file
+descriptor is closed.
+
+Signed-off-by: Thomas Hellstrom <thellstrom at vmware.com>
+Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_auth.c | 6 +++++-
+ drivers/gpu/drm/drm_fops.c | 5 +++++
+ include/drm/drmP.h | 1 +
+ 3 files changed, 11 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
+index 932b5aa..d676d49 100644
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -102,7 +102,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv,
+ * Searches and unlinks the entry in drm_device::magiclist with the magic
+ * number hash key, while holding the drm_device::struct_mutex lock.
+ */
+-static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
++int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+ {
+ struct drm_magic_entry *pt;
+ struct drm_hash_item *hash;
+@@ -137,6 +137,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
+ * If there is a magic number in drm_file::magic then use it, otherwise
+ * searches an unique non-zero magic number and add it associating it with \p
+ * file_priv.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+ */
+ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ {
+@@ -174,6 +176,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ * \return zero if authentication successed, or a negative number otherwise.
+ *
+ * Checks if \p file_priv is associated with the magic number passed in \arg.
++ * This ioctl needs protection by the drm_global_mutex, which protects
++ * struct drm_file::magic and struct drm_magic_entry::priv.
+ */
+ int drm_authmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv)
+diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
+index ba14553..519161e 100644
+--- a/drivers/gpu/drm/drm_fops.c
++++ b/drivers/gpu/drm/drm_fops.c
+@@ -449,6 +449,11 @@ int drm_release(struct inode *inode, struct file *filp)
+ (long)old_encode_dev(file_priv->minor->device),
+ dev->open_count);
+
++ /* Release any auth tokens that might point to this file_priv,
++ (do that under the drm_global_mutex) */
++ if (file_priv->magic)
++ (void) drm_remove_magic(file_priv->master, file_priv->magic);
++
+ /* if the master has gone away we can't do anything with the lock */
+ if (file_priv->minor->master)
+ drm_master_release(dev, filp);
+diff --git a/include/drm/drmP.h b/include/drm/drmP.h
+index 66713c6..ebab6a6 100644
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -1221,6 +1221,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv);
+ extern int drm_authmagic(struct drm_device *dev, void *data,
+ struct drm_file *file_priv);
++extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
+
+ /* Cache management (drm_cache.c) */
+ void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,35 @@
+From 3aee4081eee4987bbf2dd00c7267a8b2ea7386a0 Mon Sep 17 00:00:00 2001
+From: Yong Zhang <yong.zhang at windriver.com>
+Date: Tue, 6 Apr 2010 14:35:02 -0700
+Subject: [PATCH] kernel.h: fix wrong usage of __ratelimit()
+
+commit bb1dc0bacb8ddd7ba6a5906c678a5a5a110cf695 upstream.
+
+When __ratelimit() returns 1 this means that we can go ahead.
+
+Signed-off-by: Yong Zhang <yong.zhang at windriver.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 1221fe4..f963c1b 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -417,7 +417,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+ .burst = DEFAULT_RATELIMIT_BURST, \
+ }; \
+ \
+- if (!__ratelimit(&_rs)) \
++ if (__ratelimit(&_rs)) \
+ printk(fmt, ##__VA_ARGS__); \
+ })
+ #else
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,168 @@
+From ddd80d112479aaa16e3b82c5729451dcbeafe00c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 17 Jan 2012 04:07:02 +0000
+Subject: [PATCH] block: fail SCSI passthrough ioctls on partition devices
+
+commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
+
+[ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
+ and -ENOIOCTLCMD from sd_compat_ioctl. ]
+
+Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+will pass the command to the underlying block device. This is
+well-known, but it is also a large security problem when (via Unix
+permissions, ACLs, SELinux or a combination thereof) a program or user
+needs to be granted access only to part of the disk.
+
+This patch lets partitions forward a small set of harmless ioctls;
+others are logged with printk so that we can see which ioctls are
+actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+Of course it was being sent to a (partition on a) hard disk, so it would
+have failed with ENOTTY and the patch isn't changing anything in
+practice. Still, I'm treating it specially to avoid spamming the logs.
+
+In principle, this restriction should include programs running with
+CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+/dev/sdb, it still should not be able to read/write outside the
+boundaries of /dev/sda2 independent of the capabilities. However, for
+now programs with CAP_SYS_RAWIO will still be allowed to send the
+ioctls. Their actions will still be logged.
+
+This patch does not affect the non-libata IDE driver. That driver
+however already tests for bd != bd->bd_contains before issuing some
+ioctl; it could be restricted further to forbid these ioctls even for
+programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[ Make it also print the command name when warning - Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
+ ENOTTY, so we must return ENOTTY directly]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ block/scsi_ioctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ drivers/scsi/sd.c | 11 +++++++++--
+ include/linux/blkdev.h | 1 +
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 114ee29..2be0a97 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -24,6 +24,7 @@
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+ #include <linux/cdrom.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+ #include <linux/times.h>
+ #include <asm/uaccess.h>
+@@ -689,9 +690,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++ if (bd && bd == bd->bd_contains)
++ return 0;
++
++ /* Actually none of these is particularly useful on a partition,
++ * but they are safe.
++ */
++ switch (cmd) {
++ case SCSI_IOCTL_GET_IDLUN:
++ case SCSI_IOCTL_GET_BUS_NUMBER:
++ case SCSI_IOCTL_GET_PCI:
++ case SCSI_IOCTL_PROBE_HOST:
++ case SG_GET_VERSION_NUM:
++ case SG_SET_TIMEOUT:
++ case SG_GET_TIMEOUT:
++ case SG_GET_RESERVED_SIZE:
++ case SG_SET_RESERVED_SIZE:
++ case SG_EMULATED_HOST:
++ return 0;
++ case CDROM_GET_CAPABILITY:
++ /* Keep this until we remove the printk below. udev sends it
++ * and we do not want to spam dmesg about it. CD-ROMs do
++ * not have partitions, so we get here only for disks.
++ */
++ return -ENOTTY;
++ default:
++ break;
++ }
++
++ /* In particular, rule out all resets and host-specific ioctls. */
++ printk_ratelimited(KERN_WARNING
++ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
+ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+ unsigned int cmd, void __user *arg)
+ {
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bd, cmd);
++ if (ret < 0)
++ return ret;
++
+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 2dd1b73..a5b55fe 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
+ disk->disk_name, cmd));
+
++ error = scsi_verify_blk_ioctl(bdev, cmd);
++ if (error < 0)
++ return error;
++
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+ * else try and use this device. Also, if error recovery fails, it
+@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bdev, cmd);
++ if (ret < 0)
++ return -ENOIOCTLCMD;
+
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ return -ENODEV;
+
+ if (sdev->host->hostt->compat_ioctl) {
+- int ret;
+-
+ ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+
+ return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 63070ad..5eb6cb0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
+ extern void blk_plug_device_unlocked(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+ unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,50 @@
+From 3a86cda406c00df3a1c207ba26406847d8e53bba Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Date: Mon, 24 May 2010 14:33:11 -0700
+Subject: [PATCH] printk_ratelimited(): fix uninitialized spinlock
+
+commit d8521fcc5e0ad3e79bbc4231bb20a6cdc2b50164 upstream.
+
+ratelimit_state initialization of printk_ratelimited() seems broken. This
+fixes it by using DEFINE_RATELIMIT_STATE() to initialize spinlock
+properly.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi at mail.parknet.co.jp>
+Cc: Joe Perches <joe at perches.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Sven-Haegar Koch <haegar at sdinet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ include/linux/kernel.h | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index f963c1b..9acb92d 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -411,14 +411,13 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
+ * no local ratelimit_state used in the !PRINTK case
+ */
+ #ifdef CONFIG_PRINTK
+-#define printk_ratelimited(fmt, ...) ({ \
+- static struct ratelimit_state _rs = { \
+- .interval = DEFAULT_RATELIMIT_INTERVAL, \
+- .burst = DEFAULT_RATELIMIT_BURST, \
+- }; \
+- \
+- if (__ratelimit(&_rs)) \
+- printk(fmt, ##__VA_ARGS__); \
++#define printk_ratelimited(fmt, ...) ({ \
++ static DEFINE_RATELIMIT_STATE(_rs, \
++ DEFAULT_RATELIMIT_INTERVAL, \
++ DEFAULT_RATELIMIT_BURST); \
++ \
++ if (__ratelimit(&_rs)) \
++ printk(fmt, ##__VA_ARGS__); \
+ })
+ #else
+ /* No effect, but we still get type checking even in the !PRINTK case: */
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch Wed Mar 14 04:48:32 2012 (r18841)
@@ -0,0 +1,50 @@
+From e871c96c42ff9c08d856a757c0176f9381ac67cd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 10 Feb 2012 09:03:58 +0100
+Subject: [PATCH] relay: prevent integer overflow in relay_open()
+
+commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.
+
+"subbuf_size" and "n_subbufs" come from the user and they need to be
+capped to prevent an integer overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ kernel/relay.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 760c262..bf343f5 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -171,10 +171,14 @@ depopulate:
+ */
+ static struct rchan_buf *relay_create_buf(struct rchan *chan)
+ {
+- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+- if (!buf)
++ struct rchan_buf *buf;
++
++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+ return NULL;
+
++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
++ if (!buf)
++ return NULL;
+ buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
+ if (!buf->padding)
+ goto free_buf;
+@@ -581,6 +585,8 @@ struct rchan *relay_open(const char *base_filename,
+
+ if (!(subbuf_size && n_subbufs))
+ return NULL;
++ if (subbuf_size > UINT_MAX / n_subbufs)
++ return NULL;
+
+ chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
+ if (!chan)
+--
+1.7.9.1
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1 Wed Mar 14 02:52:34 2012 (r18840)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1 Wed Mar 14 04:48:32 2012 (r18841)
@@ -1,2 +1,9 @@
+ bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
+ bugfix/all/add-mount-option-to-check-uid-of-device-being-mounted-expect-uid-cve-2011-1833.patch
++ bugfix/all/V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercop.patch
++ bugfix/all/drm-Fix-authentication-kernel-crash.patch
++ bugfix/all/relay-prevent-integer-overflow-in-relay_open.patch
+- bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-2.patch
++ bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
++ bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
++ bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
More information about the Kernel-svn-changes
mailing list