Fix credentials leakage regression (#700637)
This commit is contained in:
parent
b8c6e51855
commit
2c4c81ad30
|
@ -0,0 +1,57 @@
|
|||
From: Eric W. Biederman <ebiederm@xmission.com>
|
||||
Date: Sun, 13 Jun 2010 03:31:06 +0000 (+0000)
|
||||
Subject: af_netlink: Add needed scm_destroy after scm_send.
|
||||
X-Git-Tag: v2.6.36-rc1~571^2~552
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6
|
||||
|
||||
af_netlink: Add needed scm_destroy after scm_send.
|
||||
|
||||
scm_send occasionally allocates state in the scm_cookie, so I have
|
||||
modified netlink_sendmsg to guarantee that when scm_send succeeds
|
||||
scm_destory will be called to free that state.
|
||||
|
||||
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
|
||||
Reviewed-by: Daniel Lezcano <daniel.lezcano@free.fr>
|
||||
Acked-by: Pavel Emelyanov <xemul@openvz.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
||||
index a2eb965..7aeaa83 100644
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1323,19 +1323,23 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
if (msg->msg_flags&MSG_OOB)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
- if (NULL == siocb->scm)
|
||||
+ if (NULL == siocb->scm) {
|
||||
siocb->scm = &scm;
|
||||
+ memset(&scm, 0, sizeof(scm));
|
||||
+ }
|
||||
err = scm_send(sock, msg, siocb->scm);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
if (msg->msg_namelen) {
|
||||
+ err = -EINVAL;
|
||||
if (addr->nl_family != AF_NETLINK)
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
dst_pid = addr->nl_pid;
|
||||
dst_group = ffs(addr->nl_groups);
|
||||
+ err = -EPERM;
|
||||
if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
|
||||
- return -EPERM;
|
||||
+ goto out;
|
||||
} else {
|
||||
dst_pid = nlk->dst_pid;
|
||||
dst_group = nlk->dst_group;
|
||||
@@ -1387,6 +1391,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
|
||||
err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
|
||||
|
||||
out:
|
||||
+ scm_destroy(siocb->scm);
|
||||
return err;
|
||||
}
|
||||
|
|
@ -839,6 +839,10 @@ Patch13958: agp-fix-oom-and-buffer-overflow.patch
|
|||
# CVE-2011-1494, CVE-2011-1495
|
||||
Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
|
||||
|
||||
# fix credentials leakage regression (#700637)
|
||||
Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
|
||||
Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1577,6 +1581,10 @@ ApplyPatch agp-fix-oom-and-buffer-overflow.patch
|
|||
# CVE-2011-1494, CVE-2011-1495
|
||||
ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
|
||||
|
||||
# fix credentials leakage regression (#700637)
|
||||
ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
|
||||
ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2168,6 +2176,7 @@ fi
|
|||
(CVE-2011-1494, CVE-2011-1495)
|
||||
- agp: fix arbitrary kernel memory writes (CVE-2011-1745)
|
||||
- agp: fix OOM and buffer overflow (CVE-2011-1746)
|
||||
- Fix credentials leakage regression (#700637)
|
||||
|
||||
* Thu Apr 29 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Linux 2.6.35.13
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
2.6.35.11 added two patches:
|
||||
af_netlink-add-needed-scm_destroy-after-scm_send
|
||||
fix-cred-leak-in-af_netlink
|
||||
|
||||
The first one was supposedly a backport of upstream commit
|
||||
b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6, but it was incomplete and the
|
||||
rest of that commit was in the second patch. I asked for the second
|
||||
patch to be reverted in 2.6.35.12, thinking it was a duplicate fix for
|
||||
the credentials leakage, and that caused the leak to return. This patch
|
||||
reverts the first of those two patches so we can apply the complete
|
||||
upstream patch.
|
||||
|
||||
Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
|
||||
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1323,11 +1323,8 @@
|
||||
if (msg->msg_flags&MSG_OOB)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
+ if (NULL == siocb->scm)
|
||||
- if (NULL == siocb->scm) {
|
||||
siocb->scm = &scm;
|
||||
- memset(&scm, 0, sizeof(scm));
|
||||
- }
|
||||
-
|
||||
err = scm_send(sock, msg, siocb->scm);
|
||||
if (err < 0)
|
||||
return err;
|
Loading…
Reference in New Issue