[kernel] r22496 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at moszumanska.debian.org
Sun Apr 12 16:34:03 UTC 2015
Author: benh
Date: Sun Apr 12 16:34:03 2015
New Revision: 22496
Log:
Add some simple security fixes
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed Apr 8 04:04:18 2015 (r22495)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sun Apr 12 16:34:03 2015 (r22496)
@@ -1,3 +1,14 @@
+linux-2.6 (2.6.32-48squeeze12) UNRELEASED; urgency=medium
+
+ * TTY: drop driver reference in tty_open fail path (CVE-2011-5321)
+ * netlink: fix possible spoofing from non-root processes (CVE-2012-6689)
+ * IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+ (CVE-2014-8159)
+ * eCryptfs: Remove buggy and unnecessary write in file name decode routine
+ (CVE-2014-9683)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 12 Apr 2015 17:12:31 +0100
+
linux-2.6 (2.6.32-48squeeze11) squeeze-lts; urgency=medium
* [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch Sun Apr 12 16:34:03 2015 (r22496)
@@ -0,0 +1,32 @@
+From: Michael Halcrow <mhalcrow at google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine
+Origin: https://git.kernel.org/linus/942080643bce061c3dd9d5718d3b745dcb39a8bc
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow at google.com>
+Reported-by: Dmitry Chernenkov <dmitryc at google.com>
+Suggested-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org # v2.6.29+: 51ca58d eCryptfs: Filename Encryption: Encoding and encryption functions
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 2f6735d..31b148f 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2088,7 +2088,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+ break;
+ case 2:
+ dst[dst_byte_offset++] |= (src_byte);
+- dst[dst_byte_offset] = 0;
+ current_bit_offset = 0;
+ break;
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch Sun Apr 12 16:34:03 2015 (r22496)
@@ -0,0 +1,38 @@
+From: Shachar Raindel <raindel at mellanox.com>
+Date: Sun, 04 Jan 2015 18:30:32 +0200
+Subject: IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+Origin: https://marc.info/?l=oss-security&m=142672196502144&w=2
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area
+requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Signed-off-by: Shachar Raindel <raindel at mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm at mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz at mellanox.com>
+---
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -92,6 +92,14 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ if (dmasync)
+ dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+
++ /*
++ * If the combination of the addr and size requested for this memory
++ * region causes an integer overflow, return error.
++ */
++ if ((PAGE_ALIGN(addr + size) <= size) ||
++ (PAGE_ALIGN(addr + size) <= addr))
++ return ERR_PTR(-EINVAL);
++
+ if (!can_do_mlock())
+ return ERR_PTR(-EPERM);
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch Sun Apr 12 16:34:03 2015 (r22496)
@@ -0,0 +1,65 @@
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Thu, 23 Aug 2012 02:09:11 +0000
+Subject: netlink: fix possible spoofing from non-root processes
+Origin: https://git.kernel.org/linus/20e1db19db5d6b9e4e83021595eab0dc8f107bef
+
+Non-root user-space processes can send Netlink messages to other
+processes that are well-known for being subscribed to Netlink
+asynchronous notifications. This allows ilegitimate non-root
+process to send forged messages to Netlink subscribers.
+
+The userspace process usually verifies the legitimate origin in
+two ways:
+
+a) Socket credentials. If UID != 0, then the message comes from
+ some ilegitimate process and the message needs to be dropped.
+
+b) Netlink portID. In general, portID == 0 means that the origin
+ of the messages comes from the kernel. Thus, discarding any
+ message not coming from the kernel.
+
+However, ctnetlink sets the portID in event messages that has
+been triggered by some user-space process, eg. conntrack utility.
+So other processes subscribed to ctnetlink events, eg. conntrackd,
+know that the event was triggered by some user-space action.
+
+Neither of the two ways to discard ilegitimate messages coming
+from non-root processes can help for ctnetlink.
+
+This patch adds capability validation in case that dst_pid is set
+in netlink_sendmsg(). This approach is aggressive since existing
+applications using any Netlink bus to deliver messages between
+two user-space processes will break. Note that the exception is
+NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
+userspace communication.
+
+Still, if anyone wants that his Netlink bus allows netlink-to-netlink
+userspace, then they can set NL_NONROOT_SEND. However, by default,
+I don't think it makes sense to allow to use NETLINK_ROUTE to
+communicate two processes that are sending no matter what information
+that is not related to link/neighbouring/routing. They should be using
+NETLINK_USERSOCK instead for that.
+
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32:
+ - Adjust context
+ - NETLINK_USERSOCK does not exist, so drop that part]
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 1445d73..5270238 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1303,7 +1303,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ return -EINVAL;
+ dst_pid = addr->nl_pid;
+ dst_group = ffs(addr->nl_groups);
+- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
++ if ((dst_group || dst_pid) &&
++ !netlink_capable(sock, NL_NONROOT_SEND))
+ return -EPERM;
+ } else {
+ dst_pid = nlk->dst_pid;
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch Sun Apr 12 16:34:03 2015 (r22496)
@@ -0,0 +1,37 @@
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Wed, 12 Oct 2011 11:32:42 +0200
+Subject: TTY: drop driver reference in tty_open fail path
+Origin: https://git.kernel.org/linus/c290f8358acaeffd8e0c551ddcc24d1206143376
+
+When tty_driver_lookup_tty fails in tty_open, we forget to drop a
+reference to the tty driver. This was added by commit 4a2b5fddd5 (Move
+tty lookup/reopen to caller).
+
+Fix that by adding tty_driver_kref_put to the fail path.
+
+I will refactor the code later. This is for the ease of backporting to
+stable.
+
+Introduced-in: v2.6.28-rc2
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Cc: stable <stable at vger.kernel.org>
+Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Acked-by: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backported to 2.6.32: adjust filename]
+---
+ drivers/char/tty_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+index 4ca4bcd..6913da8 100644
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -1779,6 +1779,7 @@ got_driver:
+
+ if (IS_ERR(tty)) {
+ mutex_unlock(&tty_mutex);
++ tty_driver_kref_put(driver);
+ return PTR_ERR(tty);
+ }
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12 Sun Apr 12 16:34:03 2015 (r22496)
@@ -0,0 +1,4 @@
++ bugfix/all/tty-drop-driver-reference-in-tty_open-fail-path.patch
++ bugfix/all/netlink-fix-possible-spoofing-from-non-root-processe.patch
++ bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
++ bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
More information about the Kernel-svn-changes
mailing list