[kernel] r22500 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Ben Hutchings]

Author: benh
Date: Sun Apr 12 20:52:54 2015
New Revision: 22500

Log:
Add some simple security fixes

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-llc-use-correct-size-for-sysctl-timeout-entries.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-rds-use-correct-size-for-max-unacked-packets-and.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 20:44:07 2015	(r22499)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 20:52:54 2015	(r22500)
@@ -10,6 +10,9 @@
   * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
   * [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization
     (CVE-2015-2830)
+  * net: llc: use correct size for sysctl timeout entries (CVE-2015-2041)
+  * net: rds: use correct size for max unacked packets and bytes
+    (CVE-2015-2042)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-llc-use-correct-size-for-sysctl-timeout-entries.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-llc-use-correct-size-for-sysctl-timeout-entries.patch	Sun Apr 12 20:52:54 2015	(r22500)
@@ -0,0 +1,56 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Fri, 23 Jan 2015 20:47:00 -0500
+Subject: net: llc: use correct size for sysctl timeout entries
+Origin: https://git.kernel.org/linus/6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49
+
+The timeout entries are sizeof(int) rather than sizeof(long), which
+means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ net/llc/sysctl_net_llc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
+index 612a5dd..799bafc 100644
+--- a/net/llc/sysctl_net_llc.c
++++ b/net/llc/sysctl_net_llc.c
+@@ -18,7 +18,7 @@ static struct ctl_table llc2_timeout_table[] = {
+ 		.ctl_name	= NET_LLC2_ACK_TIMEOUT,
+ 		.procname	= "ack",
+ 		.data		= &sysctl_llc2_ack_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_ack_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 		.strategy       = sysctl_jiffies,
+@@ -27,7 +27,7 @@
+ 		.ctl_name	= NET_LLC2_BUSY_TIMEOUT,
+ 		.procname	= "busy",
+ 		.data		= &sysctl_llc2_busy_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_busy_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 		.strategy       = sysctl_jiffies,
+@@ -36,7 +36,7 @@
+ 		.ctl_name	= NET_LLC2_P_TIMEOUT,
+ 		.procname	= "p",
+ 		.data		= &sysctl_llc2_p_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_p_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 		.strategy       = sysctl_jiffies,
+@@ -45,7 +45,7 @@
+ 		.ctl_name	= NET_LLC2_REJ_TIMEOUT,
+ 		.procname	= "rej",
+ 		.data		= &sysctl_llc2_rej_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_rej_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 		.strategy       = sysctl_jiffies,

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-rds-use-correct-size-for-max-unacked-packets-and.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-rds-use-correct-size-for-max-unacked-packets-and.patch	Sun Apr 12 20:52:54 2015	(r22500)
@@ -0,0 +1,40 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Tue, 3 Feb 2015 08:55:58 -0500
+Subject: net: rds: use correct size for max unacked packets and bytes
+Origin: https://git.kernel.org/linus/db27ebb111e9f69efece08e4cb6a34ff980f8896
+
+Max unacked packets/bytes is an int while sizeof(long) was used in the
+sysctl table.
+
+This means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ net/rds/sysctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
+index c3b0cd4..c173f69 100644
+--- a/net/rds/sysctl.c
++++ b/net/rds/sysctl.c
+@@ -74,7 +74,7 @@ static struct ctl_table rds_sysctl_rds_table[] = {
+ 		.ctl_name	= CTL_UNNUMBERED,
+ 		.procname	= "max_unacked_packets",
+ 		.data		= &rds_sysctl_max_unacked_packets,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = &proc_dointvec,
+ 	},
+@@ -82,7 +82,7 @@
+ 		.ctl_name	= CTL_UNNUMBERED,
+ 		.procname	= "max_unacked_bytes",
+ 		.data		= &rds_sysctl_max_unacked_bytes,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = &proc_dointvec,
+ 	},

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 20:44:07 2015	(r22499)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 20:52:54 2015	(r22500)
@@ -5,3 +5,5 @@
 + bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
 + bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
 + bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
++ bugfix/all/net-llc-use-correct-size-for-sysctl-timeout-entries.patch
++ bugfix/all/net-rds-use-correct-size-for-max-unacked-packets-and.patch