From: Chris Wright Date: Thu, 7 Jun 2007 21:44:19 +0000 (-0700) Subject: Linux 2.6.20.13 X-Git-Tag: v2.6.20.13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f5366511c2e9a5c9c8da5e408d8f8a442db1ca5;p=thirdparty%2Fkernel%2Fstable-queue.git Linux 2.6.20.13 --- diff --git a/releases/2.6.20.13/cpuset-prevent-information-leak-in-cpuset_tasks_read.patch b/releases/2.6.20.13/cpuset-prevent-information-leak-in-cpuset_tasks_read.patch new file mode 100644 index 00000000000..99596ae1ec7 --- /dev/null +++ b/releases/2.6.20.13/cpuset-prevent-information-leak-in-cpuset_tasks_read.patch @@ -0,0 +1,30 @@ +From stable Mon Sep 17 00:00:00 2001 +From: Chris Wright +Subject: cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875) + +Use simple_read_from_buffer to avoid possible underflow in +cpuset_tasks_read which could allow user to read kernel memory. + +Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006 + +Signed-off-by: Chris Wright +--- + kernel/cpuset.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- linux-2.6.20.12.orig/kernel/cpuset.c ++++ linux-2.6.20.12/kernel/cpuset.c +@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct + { + struct ctr_struct *ctr = file->private_data; + +- if (*ppos + nbytes > ctr->bufsz) +- nbytes = ctr->bufsz - *ppos; +- if (copy_to_user(buf, ctr->buf + *ppos, nbytes)) +- return -EFAULT; +- *ppos += nbytes; +- return nbytes; ++ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz); + } + + static int cpuset_tasks_release(struct inode *unused_inode, struct file *file) diff --git a/releases/2.6.20.13/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch b/releases/2.6.20.13/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch new file mode 100644 index 00000000000..68d30d2467a --- /dev/null +++ b/releases/2.6.20.13/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch @@ -0,0 +1,54 @@ +From stable-bounces@linux.kernel.org Tue Jun 5 05:17:17 2007 +From: Patrick McHardy +Date: Tue, 05 Jun 2007 14:14:22 +0200 +Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876) +To: "David S. Miller" +Cc: security@kernel.org, Adrian Bunk , Kiran Kumar Immidi , stable@kernel.org, Vilmos Nebehaj +Message-ID: <4665539E.9040005@trash.net> + +From: Patrick McHardy + +When creating a new connection by sending an unknown chunk type, we +don't transition to a valid state, causing a NULL pointer dereference in +sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. + +Fix by don't creating new conntrack entry if initial state is invalid. + +Noticed by Vilmos Nebehaj + +CC: Kiran Kumar Immidi +Cc: David Miller +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright + +--- + net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 3 ++- + net/netfilter/nf_conntrack_proto_sctp.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c ++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c +@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack + SCTP_CONNTRACK_NONE, sch->type); + + /* Invalid: delete conntrack */ +- if (newconntrack == SCTP_CONNTRACK_MAX) { ++ if (newconntrack == SCTP_CONNTRACK_NONE || ++ newconntrack == SCTP_CONNTRACK_MAX) { + DEBUGP("ip_conntrack_sctp: invalid new deleting.\n"); + return 0; + } +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -470,7 +470,8 @@ static int sctp_new(struct nf_conn *conn + SCTP_CONNTRACK_NONE, sch->type); + + /* Invalid: delete conntrack */ +- if (newconntrack == SCTP_CONNTRACK_MAX) { ++ if (newconntrack == SCTP_CONNTRACK_NONE || ++ newconntrack == SCTP_CONNTRACK_MAX) { + DEBUGP("nf_conntrack_sctp: invalid new deleting.\n"); + return 0; + } + diff --git a/releases/2.6.20.13/random-fix-error-in-entropy-extraction.patch b/releases/2.6.20.13/random-fix-error-in-entropy-extraction.patch new file mode 100644 index 00000000000..953b324e7ce --- /dev/null +++ b/releases/2.6.20.13/random-fix-error-in-entropy-extraction.patch @@ -0,0 +1,52 @@ +From 602b6aeefe8932dd8bb15014e8fe6bb25d736361 Mon Sep 17 00:00:00 2001 +From: Matt Mackall +Date: Tue, 29 May 2007 21:54:27 -0500 +Subject: random: fix error in entropy extraction (CVE-2007-2453 1 of 2) + +Fix cast error in entropy extraction. +Add comments explaining the magic 16. +Remove extra confusing loop variable. + +Signed-off-by: Matt Mackall +Acked-by: "Theodore Ts'o" +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + drivers/char/random.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- linux-2.6.20.12.orig/drivers/char/random.c ++++ linux-2.6.20.12/drivers/char/random.c +@@ -760,7 +760,7 @@ static size_t account(struct entropy_sto + + static void extract_buf(struct entropy_store *r, __u8 *out) + { +- int i, x; ++ int i; + __u32 data[16], buf[5 + SHA_WORKSPACE_WORDS]; + + sha_init(buf); +@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_s + * attempts to find previous ouputs), unless the hash + * function can be inverted. + */ +- for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) { +- sha_transform(buf, (__u8 *)r->pool+i, buf + 5); +- add_entropy_words(r, &buf[x % 5], 1); ++ for (i = 0; i < r->poolinfo->poolwords; i += 16) { ++ /* hash blocks of 16 words = 512 bits */ ++ sha_transform(buf, (__u8 *)(r->pool + i), buf + 5); ++ /* feed back portion of the resulting hash */ ++ add_entropy_words(r, &buf[i % 5], 1); + } + + /* +@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_s + * portion of the pool while mixing, and hash one + * final time. + */ +- __add_entropy_words(r, &buf[x % 5], 1, data); ++ __add_entropy_words(r, &buf[i % 5], 1, data); + sha_transform(buf, (__u8 *)data, buf + 5); + + /* diff --git a/releases/2.6.20.13/random-fix-seeding-with-zero-entropy.patch b/releases/2.6.20.13/random-fix-seeding-with-zero-entropy.patch new file mode 100644 index 00000000000..2ce84cd9208 --- /dev/null +++ b/releases/2.6.20.13/random-fix-seeding-with-zero-entropy.patch @@ -0,0 +1,98 @@ +From 7f397dcdb78d699a20d96bfcfb595a2411a5bbd2 Mon Sep 17 00:00:00 2001 +From: Matt Mackall +Date: Tue, 29 May 2007 21:58:10 -0500 +Subject: random: fix seeding with zero entropy (CVE-2007-2453 2 of 2) + +Add data from zero-entropy random_writes directly to output pools to +avoid accounting difficulties on machines without entropy sources. + +Tested on lguest with all entropy sources disabled. + +Signed-off-by: Matt Mackall +Acked-by: "Theodore Ts'o" +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + drivers/char/random.c | 55 ++++++++++++++++++++++++++++---------------------- + 1 file changed, 31 insertions(+), 24 deletions(-) + +--- linux-2.6.20.12.orig/drivers/char/random.c ++++ linux-2.6.20.12/drivers/char/random.c +@@ -1024,37 +1024,44 @@ random_poll(struct file *file, poll_tabl + return mask; + } + +-static ssize_t +-random_write(struct file * file, const char __user * buffer, +- size_t count, loff_t *ppos) ++static int ++write_pool(struct entropy_store *r, const char __user *buffer, size_t count) + { +- int ret = 0; + size_t bytes; + __u32 buf[16]; + const char __user *p = buffer; +- size_t c = count; + +- while (c > 0) { +- bytes = min(c, sizeof(buf)); ++ while (count > 0) { ++ bytes = min(count, sizeof(buf)); ++ if (copy_from_user(&buf, p, bytes)) ++ return -EFAULT; + +- bytes -= copy_from_user(&buf, p, bytes); +- if (!bytes) { +- ret = -EFAULT; +- break; +- } +- c -= bytes; ++ count -= bytes; + p += bytes; + +- add_entropy_words(&input_pool, buf, (bytes + 3) / 4); +- } +- if (p == buffer) { +- return (ssize_t)ret; +- } else { +- struct inode *inode = file->f_path.dentry->d_inode; +- inode->i_mtime = current_fs_time(inode->i_sb); +- mark_inode_dirty(inode); +- return (ssize_t)(p - buffer); ++ add_entropy_words(r, buf, (bytes + 3) / 4); + } ++ ++ return 0; ++} ++ ++static ssize_t ++random_write(struct file * file, const char __user * buffer, ++ size_t count, loff_t *ppos) ++{ ++ size_t ret; ++ struct inode *inode = file->f_path.dentry->d_inode; ++ ++ ret = write_pool(&blocking_pool, buffer, count); ++ if (ret) ++ return ret; ++ ret = write_pool(&nonblocking_pool, buffer, count); ++ if (ret) ++ return ret; ++ ++ inode->i_mtime = current_fs_time(inode->i_sb); ++ mark_inode_dirty(inode); ++ return (ssize_t)count; + } + + static int +@@ -1093,8 +1100,8 @@ random_ioctl(struct inode * inode, struc + return -EINVAL; + if (get_user(size, p++)) + return -EFAULT; +- retval = random_write(file, (const char __user *) p, +- size, &file->f_pos); ++ retval = write_pool(&input_pool, (const char __user *)p, ++ size); + if (retval < 0) + return retval; + credit_entropy_store(&input_pool, ent_count); diff --git a/releases/2.6.20.13/series b/releases/2.6.20.13/series new file mode 100644 index 00000000000..9f9c04ae64e --- /dev/null +++ b/releases/2.6.20.13/series @@ -0,0 +1,4 @@ +random-fix-error-in-entropy-extraction.patch +random-fix-seeding-with-zero-entropy.patch +cpuset-prevent-information-leak-in-cpuset_tasks_read.patch +netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch