--- /dev/null
+From stable Mon Sep 17 00:00:00 2001
+From: Chris Wright <chrisw@sous-sol.org>
+Subject: cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)
+
+Use simple_read_from_buffer to avoid possible underflow in
+cpuset_tasks_read which could allow user to read kernel memory.
+
+Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ kernel/cpuset.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- linux-2.6.20.12.orig/kernel/cpuset.c
++++ linux-2.6.20.12/kernel/cpuset.c
+@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct
+ {
+ struct ctr_struct *ctr = file->private_data;
+
+- if (*ppos + nbytes > ctr->bufsz)
+- nbytes = ctr->bufsz - *ppos;
+- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
+- return -EFAULT;
+- *ppos += nbytes;
+- return nbytes;
++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
+ }
+
+ static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 5 05:17:17 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 05 Jun 2007 14:14:22 +0200
+Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Adrian Bunk <bunk@stusta.de>, Kiran Kumar Immidi <immidi_kiran@yahoo.com>, stable@kernel.org, Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+Message-ID: <4665539E.9040005@trash.net>
+
+From: Patrick McHardy <kaber@trash.net>
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 3 ++-
+ net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -470,7 +470,8 @@ static int sctp_new(struct nf_conn *conn
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+
--- /dev/null
+From 602b6aeefe8932dd8bb15014e8fe6bb25d736361 Mon Sep 17 00:00:00 2001
+From: Matt Mackall <mpm@selenic.com>
+Date: Tue, 29 May 2007 21:54:27 -0500
+Subject: random: fix error in entropy extraction (CVE-2007-2453 1 of 2)
+
+Fix cast error in entropy extraction.
+Add comments explaining the magic 16.
+Remove extra confusing loop variable.
+
+Signed-off-by: Matt Mackall <mpm@selenic.com>
+Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/char/random.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- linux-2.6.20.12.orig/drivers/char/random.c
++++ linux-2.6.20.12/drivers/char/random.c
+@@ -760,7 +760,7 @@ static size_t account(struct entropy_sto
+
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+- int i, x;
++ int i;
+ __u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
+
+ sha_init(buf);
+@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_s
+ * attempts to find previous ouputs), unless the hash
+ * function can be inverted.
+ */
+- for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
+- sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
+- add_entropy_words(r, &buf[x % 5], 1);
++ for (i = 0; i < r->poolinfo->poolwords; i += 16) {
++ /* hash blocks of 16 words = 512 bits */
++ sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
++ /* feed back portion of the resulting hash */
++ add_entropy_words(r, &buf[i % 5], 1);
+ }
+
+ /*
+@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_s
+ * portion of the pool while mixing, and hash one
+ * final time.
+ */
+- __add_entropy_words(r, &buf[x % 5], 1, data);
++ __add_entropy_words(r, &buf[i % 5], 1, data);
+ sha_transform(buf, (__u8 *)data, buf + 5);
+
+ /*
--- /dev/null
+From 7f397dcdb78d699a20d96bfcfb595a2411a5bbd2 Mon Sep 17 00:00:00 2001
+From: Matt Mackall <mpm@selenic.com>
+Date: Tue, 29 May 2007 21:58:10 -0500
+Subject: random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
+
+Add data from zero-entropy random_writes directly to output pools to
+avoid accounting difficulties on machines without entropy sources.
+
+Tested on lguest with all entropy sources disabled.
+
+Signed-off-by: Matt Mackall <mpm@selenic.com>
+Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/char/random.c | 55 ++++++++++++++++++++++++++++----------------------
+ 1 file changed, 31 insertions(+), 24 deletions(-)
+
+--- linux-2.6.20.12.orig/drivers/char/random.c
++++ linux-2.6.20.12/drivers/char/random.c
+@@ -1024,37 +1024,44 @@ random_poll(struct file *file, poll_tabl
+ return mask;
+ }
+
+-static ssize_t
+-random_write(struct file * file, const char __user * buffer,
+- size_t count, loff_t *ppos)
++static int
++write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+- int ret = 0;
+ size_t bytes;
+ __u32 buf[16];
+ const char __user *p = buffer;
+- size_t c = count;
+
+- while (c > 0) {
+- bytes = min(c, sizeof(buf));
++ while (count > 0) {
++ bytes = min(count, sizeof(buf));
++ if (copy_from_user(&buf, p, bytes))
++ return -EFAULT;
+
+- bytes -= copy_from_user(&buf, p, bytes);
+- if (!bytes) {
+- ret = -EFAULT;
+- break;
+- }
+- c -= bytes;
++ count -= bytes;
+ p += bytes;
+
+- add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
+- }
+- if (p == buffer) {
+- return (ssize_t)ret;
+- } else {
+- struct inode *inode = file->f_path.dentry->d_inode;
+- inode->i_mtime = current_fs_time(inode->i_sb);
+- mark_inode_dirty(inode);
+- return (ssize_t)(p - buffer);
++ add_entropy_words(r, buf, (bytes + 3) / 4);
+ }
++
++ return 0;
++}
++
++static ssize_t
++random_write(struct file * file, const char __user * buffer,
++ size_t count, loff_t *ppos)
++{
++ size_t ret;
++ struct inode *inode = file->f_path.dentry->d_inode;
++
++ ret = write_pool(&blocking_pool, buffer, count);
++ if (ret)
++ return ret;
++ ret = write_pool(&nonblocking_pool, buffer, count);
++ if (ret)
++ return ret;
++
++ inode->i_mtime = current_fs_time(inode->i_sb);
++ mark_inode_dirty(inode);
++ return (ssize_t)count;
+ }
+
+ static int
+@@ -1093,8 +1100,8 @@ random_ioctl(struct inode * inode, struc
+ return -EINVAL;
+ if (get_user(size, p++))
+ return -EFAULT;
+- retval = random_write(file, (const char __user *) p,
+- size, &file->f_pos);
++ retval = write_pool(&input_pool, (const char __user *)p,
++ size);
+ if (retval < 0)
+ return retval;
+ credit_entropy_store(&input_pool, ent_count);
--- /dev/null
+random-fix-error-in-entropy-extraction.patch
+random-fix-seeding-with-zero-entropy.patch
+cpuset-prevent-information-leak-in-cpuset_tasks_read.patch
+netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
