[kernel] r18842 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Wed Mar 14 05:04:37 UTC 2012 

Author: benh
Date: Wed Mar 14 05:04:32 2012
New Revision: 18842

Log:
Apply the most important security fixes from 2.6.32.59-rc1

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 04:48:32 2012	(r18841)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 05:04:32 2012	(r18842)
@@ -13,6 +13,8 @@
     - sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD
     - kernel.h: fix wrong usage of __ratelimit()
     - printk_ratelimited(): fix uninitialized spinlock
+  * cifs: fix dentry refcount leak when opening a FIFO on lookup
+  * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097)
 
  -- dann frazier <dannf at debian.org>  Tue, 13 Mar 2012 19:04:18 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch	Wed Mar 14 05:04:32 2012	(r18842)
@@ -0,0 +1,62 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+commit 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable at vger.kernel.org
+Reported-by: CAI Qian <caiqian at redhat.com>
+Tested-by: CAI Qian <caiqian at redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <smfrench at gmail.com>
+---
+ fs/cifs/dir.c |   20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e2442 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ 			 * If either that or op not supported returned, follow
+ 			 * the normal lookup.
+ 			 */
+-			if ((rc == 0) || (rc == -ENOENT))
++			switch (rc) {
++			case 0:
++				/*
++				 * The server may allow us to open things like
++				 * FIFOs, but the client isn't set up to deal
++				 * with that. If it's not a regular file, just
++				 * close it and proceed as if it were a normal
++				 * lookup.
++				 */
++				if (newInode && !S_ISREG(newInode->i_mode)) {
++					CIFSSMBClose(xid, pTcon, fileHandle);
++					break;
++				}
++			case -ENOENT:
+ 				posix_open = true;
+-			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
++			case -EOPNOTSUPP:
++				break;
++			default:
+ 				pTcon->broken_posix_open = true;
++			}
+ 		}
+ 		if (!posix_open)
+ 			rc = cifs_get_inode_info_unix(&newInode, full_path,
+-- 
+1.7.9.1
+

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch	Wed Mar 14 05:04:32 2012	(r18842)
@@ -0,0 +1,63 @@
+From: "H. Peter Anvin" <hpa at zytor.com>
+Date: Fri, 2 Mar 2012 10:43:48 -0800
+Subject: [PATCH] regset: Prevent null pointer reference on readonly regsets
+
+commit c8e252586f8d5de906385d8cf6385fee289a825e upstream.
+
+The regset common infrastructure assumed that regsets would always
+have .get and .set methods, but not necessarily .active methods.
+Unfortunately people have since written regsets without .set methods.
+
+Rather than putting in stub functions everywhere, handle regsets with
+null .get or .set methods explicitly.
+
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+Reviewed-by: Oleg Nesterov <oleg at redhat.com>
+Acked-by: Roland McGrath <roland at hack.frob.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/binfmt_elf.c        |    2 +-
+ include/linux/regset.h |    6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index bcb884e..07d096c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ 	for (i = 1; i < view->n; ++i) {
+ 		const struct user_regset *regset = &view->regsets[i];
+ 		do_thread_regset_writeback(t->task, regset);
+-		if (regset->core_note_type &&
++		if (regset->core_note_type && regset->get &&
+ 		    (!regset->active || regset->active(t->task, regset))) {
+ 			int ret;
+ 			size_t size = regset->n * regset->size;
+diff --git a/include/linux/regset.h b/include/linux/regset.h
+index 8abee65..5150fd1 100644
+--- a/include/linux/regset.h
++++ b/include/linux/regset.h
+@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->get)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_WRITE, data, size))
+ 		return -EIO;
+ 
+@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
+ {
+ 	const struct user_regset *regset = &view->regsets[setno];
+ 
++	if (!regset->set)
++		return -EOPNOTSUPP;
++
+ 	if (!access_ok(VERIFY_READ, data, size))
+ 		return -EIO;
+ 
+-- 
+1.7.9.1
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1	Wed Mar 14 04:48:32 2012	(r18841)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1	Wed Mar 14 05:04:32 2012	(r18842)
@@ -7,3 +7,5 @@
 + bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices-3.patch
 + bugfix/all/kernel.h-fix-wrong-usage-of-__ratelimit.patch
 + bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
++ bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
++ bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch

More information about the Kernel-svn-changes mailing list