From: Greg Kroah-Hartman Date: Mon, 17 Nov 2008 04:47:16 +0000 (-0800) Subject: add network .27 patch X-Git-Tag: v2.6.27.7~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4b5069b6465758beee4d3a4c3f520614a8d468e7;p=thirdparty%2Fkernel%2Fstable-queue.git add network .27 patch --- diff --git a/queue-2.6.27/net-fix-proc-net-snmp-as-memory-corruptor.patch b/queue-2.6.27/net-fix-proc-net-snmp-as-memory-corruptor.patch new file mode 100644 index 00000000000..58a1797fd61 --- /dev/null +++ b/queue-2.6.27/net-fix-proc-net-snmp-as-memory-corruptor.patch @@ -0,0 +1,99 @@ +From b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 10 Nov 2008 21:43:08 -0800 +Subject: net: fix /proc/net/snmp as memory corruptor + +From: Eric Dumazet + +commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 upstream. + +icmpmsg_put() can happily corrupt kernel memory, using a static +table and forgetting to reset an array index in a loop. + +Remove the static array since its not safe without proper locking. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/proc.c | 58 ++++++++++++++++++++++++++++---------------------------- + 1 file changed, 30 insertions(+), 28 deletions(-) + +--- a/net/ipv4/proc.c ++++ b/net/ipv4/proc.c +@@ -237,43 +237,45 @@ static const struct snmp_mib snmp4_net_l + SNMP_MIB_SENTINEL + }; + ++static void icmpmsg_put_line(struct seq_file *seq, unsigned long *vals, ++ unsigned short *type, int count) ++{ ++ int j; ++ ++ if (count) { ++ seq_printf(seq, "\nIcmpMsg:"); ++ for (j = 0; j < count; ++j) ++ seq_printf(seq, " %sType%u", ++ type[j] & 0x100 ? "Out" : "In", ++ type[j] & 0xff); ++ seq_printf(seq, "\nIcmpMsg:"); ++ for (j = 0; j < count; ++j) ++ seq_printf(seq, " %lu", vals[j]); ++ } ++} ++ + static void icmpmsg_put(struct seq_file *seq) + { + #define PERLINE 16 + +- int j, i, count; +- static int out[PERLINE]; ++ int i, count; ++ unsigned short type[PERLINE]; ++ unsigned long vals[PERLINE], val; + struct net *net = seq->private; + + count = 0; + for (i = 0; i < ICMPMSG_MIB_MAX; i++) { +- +- if (snmp_fold_field((void **) net->mib.icmpmsg_statistics, i)) +- out[count++] = i; +- if (count < PERLINE) +- continue; +- +- seq_printf(seq, "\nIcmpMsg:"); +- for (j = 0; j < PERLINE; ++j) +- seq_printf(seq, " %sType%u", i & 0x100 ? "Out" : "In", +- i & 0xff); +- seq_printf(seq, "\nIcmpMsg: "); +- for (j = 0; j < PERLINE; ++j) +- seq_printf(seq, " %lu", +- snmp_fold_field((void **) net->mib.icmpmsg_statistics, +- out[j])); +- seq_putc(seq, '\n'); +- } +- if (count) { +- seq_printf(seq, "\nIcmpMsg:"); +- for (j = 0; j < count; ++j) +- seq_printf(seq, " %sType%u", out[j] & 0x100 ? "Out" : +- "In", out[j] & 0xff); +- seq_printf(seq, "\nIcmpMsg:"); +- for (j = 0; j < count; ++j) +- seq_printf(seq, " %lu", snmp_fold_field((void **) +- net->mib.icmpmsg_statistics, out[j])); ++ val = snmp_fold_field((void **) net->mib.icmpmsg_statistics, i); ++ if (val) { ++ type[count] = i; ++ vals[count++] = val; ++ } ++ if (count == PERLINE) { ++ icmpmsg_put_line(seq, vals, type, count); ++ count = 0; ++ } + } ++ icmpmsg_put_line(seq, vals, type, count); + + #undef PERLINE + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 0cfaf06f2f1..58803edf11f 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -1,3 +1,4 @@ +net-fix-proc-net-snmp-as-memory-corruptor.patch touch_mnt_namespace-when-the-mount-flags-change.patch iwlagn-avoid-sleep-in-softirq-context.patch ath5k-fix-suspend-related-oops-on-rmmod.patch