[kernel] r18842 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Wed Mar 14 05:04:37 UTC 2012
Author: benh
Date: Wed Mar 14 05:04:32 2012
New Revision: 18842
Log:
Apply the most important security fixes from 2.6.32.59-rc1
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 04:48:32 2012 (r18841)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 05:04:32 2012 (r18842)
@@ -13,6 +13,8 @@
- sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD
- kernel.h: fix wrong usage of __ratelimit()
- printk_ratelimited(): fix uninitialized spinlock
+ * cifs: fix dentry refcount leak when opening a FIFO on lookup
+ * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097)
-- dann frazier <dannf at debian.org> Tue, 13 Mar 2012 19:04:18 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch Wed Mar 14 05:04:32 2012 (r18842)
@@ -0,0 +1,62 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+commit 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable at vger.kernel.org
+Reported-by: CAI Qian <caiqian at redhat.com>
+Tested-by: CAI Qian <caiqian at redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <smfrench at gmail.com>
+---
+ fs/cifs/dir.c | 20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e2442 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ * If either that or op not supported returned, follow
+ * the normal lookup.
+ */
+- if ((rc == 0) || (rc == -ENOENT))
++ switch (rc) {
++ case 0:
++ /*
++ * The server may allow us to open things like
++ * FIFOs, but the client isn't set up to deal
++ * with that. If it's not a regular file, just
++ * close it and proceed as if it were a normal
++ * lookup.
++ */
++ if (newInode && !S_ISREG(newInode->i_mode)) {
++ CIFSSMBClose(xid, pTcon, fileHandle);
++ break;
++ }
++ case -ENOENT:
+ posix_open = true;
+- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
++ case -EOPNOTSUPP:
++ break;
++ default:
+ pTcon->broken_posix_open = true;
++ }
+ }
+ if (!posix_open)
+ rc = cifs_get_inode_info_unix(&newInode, full_path,
+--
+1.7.9.1
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch Wed Mar 14 05:04:32 2012 (r18842)
@@ -0,0 +1,63 @@
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH] regset: Prevent null pointer reference on readonly regsets
+
+commit c8e252586f8d5de906385d8cf6385fee289a825e upstream.
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ include/linux/regset.h | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ for (i = 1; i < view->n; ++i) {
+ const struct user_regset *regset = &view->regsets[i];
+ do_thread_regset_writeback(t->task, regset);
+- if (regset->core_note_type &&
++ if (regset->core_note_type && regset->get &&
+ (!regset->active || regset->active(t->task, regset))) {
+ int ret;
+ size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->get)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_WRITE, data, size))
+ return -EIO;
+
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ const struct user_regset *regset = &view->regsets[setno];
+
++ if (!regset->set)
++ return -EOPNOTSUPP;
++
+ if (!access_ok(VERIFY_READ, data, size))
+ return -EIO;
+
+--
+1.7.9.1
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1 Wed Mar 14 04:48:32 2012 (r18841)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1 Wed Mar 14 05:04:32 2012 (r18842)
@@ -7,3 +7,5 @@
+ bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
+ bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
+ bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
++ bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
++ bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
More information about the Kernel-svn-changes
mailing list