[kernel] r22496 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at moszumanska.debian.org
Sun Apr 12 16:34:03 UTC 2015 

Author: benh
Date: Sun Apr 12 16:34:03 2015
New Revision: 22496

Log:
Add some simple security fixes

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Apr  8 04:04:18 2015	(r22495)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 16:34:03 2015	(r22496)
@@ -1,3 +1,14 @@
+linux-2.6 (2.6.32-48squeeze12) UNRELEASED; urgency=medium
+
+  * TTY: drop driver reference in tty_open fail path (CVE-2011-5321)
+  * netlink: fix possible spoofing from non-root processes (CVE-2012-6689)
+  * IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+    (CVE-2014-8159)
+  * eCryptfs: Remove buggy and unnecessary write in file name decode routine
+    (CVE-2014-9683)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
+
 linux-2.6 (2.6.32-48squeeze11) squeeze-lts; urgency=medium
 
   * [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch	Sun Apr 12 16:34:03 2015	(r22496)
@@ -0,0 +1,32 @@
+From: Michael Halcrow <mhalcrow at google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine
+Origin: https://git.kernel.org/linus/942080643bce061c3dd9d5718d3b745dcb39a8bc
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow at google.com>
+Reported-by: Dmitry Chernenkov <dmitryc at google.com>
+Suggested-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org # v2.6.29+: 51ca58d eCryptfs: Filename Encryption: Encoding and encryption functions
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 2f6735d..31b148f 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2088,7 +2088,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+ 			break;
+ 		case 2:
+ 			dst[dst_byte_offset++] |= (src_byte);
+-			dst[dst_byte_offset] = 0;
+ 			current_bit_offset = 0;
+ 			break;
+ 		}

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch	Sun Apr 12 16:34:03 2015	(r22496)
@@ -0,0 +1,38 @@
+From: Shachar Raindel <raindel at mellanox.com>
+Date: Sun, 04 Jan 2015 18:30:32 +0200
+Subject: IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+Origin: https://marc.info/?l=oss-security&m=142672196502144&w=2
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area
+requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Signed-off-by: Shachar Raindel <raindel at mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm at mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz at mellanox.com>
+---
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -92,6 +92,14 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ 	if (dmasync)
+ 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++	/*
++	 * If the combination of the addr and size requested for this memory
++	 * region causes an integer overflow, return error.
++	 */
++	if ((PAGE_ALIGN(addr + size) <= size) ||
++	    (PAGE_ALIGN(addr + size) <= addr))
++		return ERR_PTR(-EINVAL);
++
+ 	if (!can_do_mlock())
+ 		return ERR_PTR(-EPERM);
+ 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch	Sun Apr 12 16:34:03 2015	(r22496)
@@ -0,0 +1,65 @@
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Thu, 23 Aug 2012 02:09:11 +0000
+Subject: netlink: fix possible spoofing from non-root processes
+Origin: https://git.kernel.org/linus/20e1db19db5d6b9e4e83021595eab0dc8f107bef
+
+Non-root user-space processes can send Netlink messages to other
+processes that are well-known for being subscribed to Netlink
+asynchronous notifications. This allows ilegitimate non-root
+process to send forged messages to Netlink subscribers.
+
+The userspace process usually verifies the legitimate origin in
+two ways:
+
+a) Socket credentials. If UID != 0, then the message comes from
+   some ilegitimate process and the message needs to be dropped.
+
+b) Netlink portID. In general, portID == 0 means that the origin
+   of the messages comes from the kernel. Thus, discarding any
+   message not coming from the kernel.
+
+However, ctnetlink sets the portID in event messages that has
+been triggered by some user-space process, eg. conntrack utility.
+So other processes subscribed to ctnetlink events, eg. conntrackd,
+know that the event was triggered by some user-space action.
+
+Neither of the two ways to discard ilegitimate messages coming
+from non-root processes can help for ctnetlink.
+
+This patch adds capability validation in case that dst_pid is set
+in netlink_sendmsg(). This approach is aggressive since existing
+applications using any Netlink bus to deliver messages between
+two user-space processes will break. Note that the exception is
+NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
+userspace communication.
+
+Still, if anyone wants that his Netlink bus allows netlink-to-netlink
+userspace, then they can set NL_NONROOT_SEND. However, by default,
+I don't think it makes sense to allow to use NETLINK_ROUTE to
+communicate two processes that are sending no matter what information
+that is not related to link/neighbouring/routing. They should be using
+NETLINK_USERSOCK instead for that.
+
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - NETLINK_USERSOCK does not exist, so drop that part]
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 1445d73..5270238 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1303,7 +1303,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 			return -EINVAL;
+ 		dst_pid = addr->nl_pid;
+ 		dst_group = ffs(addr->nl_groups);
+-		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
++		if ((dst_group || dst_pid) &&
++		    !netlink_capable(sock, NL_NONROOT_SEND))
+ 			return -EPERM;
+ 	} else {
+ 		dst_pid = nlk->dst_pid;

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch	Sun Apr 12 16:34:03 2015	(r22496)
@@ -0,0 +1,37 @@
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Wed, 12 Oct 2011 11:32:42 +0200
+Subject: TTY: drop driver reference in tty_open fail path
+Origin: https://git.kernel.org/linus/c290f8358acaeffd8e0c551ddcc24d1206143376
+
+When tty_driver_lookup_tty fails in tty_open, we forget to drop a
+reference to the tty driver. This was added by commit 4a2b5fddd5 (Move
+tty lookup/reopen to caller).
+
+Fix that by adding tty_driver_kref_put to the fail path.
+
+I will refactor the code later. This is for the ease of backporting to
+stable.
+
+Introduced-in: v2.6.28-rc2
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Cc: stable <stable at vger.kernel.org>
+Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Acked-by: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backported to 2.6.32: adjust filename]
+---
+ drivers/char/tty_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+index 4ca4bcd..6913da8 100644
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -1779,6 +1779,7 @@ got_driver:
+ 
+ 		if (IS_ERR(tty)) {
+ 			mutex_unlock(&tty_mutex);
++			tty_driver_kref_put(driver);
+ 			return PTR_ERR(tty);
+ 		}
+ 	}

Added: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 16:34:03 2015	(r22496)
@@ -0,0 +1,4 @@
++ bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
++ bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
++ bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
++ bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch

More information about the Kernel-svn-changes mailing list