Linux 2.6.32.22
Drop merged patches: aio-check-for-multiplication-overflow-in-do_io_submit.patch inotify-fix-inotify-oneshot-support.patch inotify-send-IN_UNMOUNT-events.patch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
This commit is contained in:
parent
7eb61976f8
commit
6cfda382fd
|
@ -1,47 +0,0 @@
|
|||
From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Moyer <jmoyer@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 14:16:00 -0700
|
||||
Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Tavis Ormandy pointed out that do_io_submit does not do proper bounds
|
||||
checking on the passed-in iocb array:
|
||||
|
||||
if (unlikely(nr < 0))
|
||||
return -EINVAL;
|
||||
|
||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
|
||||
return -EFAULT; ^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The attached patch checks for overflow, and if it is detected, the
|
||||
number of iocbs submitted is scaled down to a number that will fit in
|
||||
the long. This is an ok thing to do, as sys_io_submit is documented as
|
||||
returning the number of iocbs submitted, so callers should handle a
|
||||
return value of less than the 'nr' argument passed in.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/aio.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/aio.c b/fs/aio.c
|
||||
index 02a2c93..b84a769 100644
|
||||
--- a/fs/aio.c
|
||||
+++ b/fs/aio.c
|
||||
@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
|
||||
if (unlikely(nr < 0))
|
||||
return -EINVAL;
|
||||
|
||||
+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
|
||||
+ nr = LONG_MAX/sizeof(*iocbpp);
|
||||
+
|
||||
if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
|
||||
return -EFAULT;
|
||||
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
#607327
|
||||
|
||||
During the large inotify rewrite to fsnotify I completely dropped support
|
||||
for IN_ONESHOT. Reimplement that support.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_fsnotify.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
|
||||
index daa666a..388a150 100644
|
||||
--- a/fs/notify/inotify/inotify_fsnotify.c
|
||||
+++ b/fs/notify/inotify/inotify_fsnotify.c
|
||||
@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
+ if (entry->mask & IN_ONESHOT)
|
||||
+ fsnotify_destroy_mark_by_entry(entry);
|
||||
+
|
||||
/*
|
||||
* If we hold the entry until after the event is on the queue
|
||||
* IN_IGNORED won't be able to pass this event in the queue
|
|
@ -1,29 +0,0 @@
|
|||
#607327 ?
|
||||
|
||||
Since the .31 or so notify rewrite inotify has not sent events about
|
||||
inodes which are unmounted. This patch restores those events.
|
||||
|
||||
Signed-off-by: Eric Paris <eparis@redhat.com>
|
||||
---
|
||||
|
||||
fs/notify/inotify/inotify_user.c | 7 +++++--
|
||||
1 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
|
||||
index 44aeb0f..f381daf 100644
|
||||
--- a/fs/notify/inotify/inotify_user.c
|
||||
+++ b/fs/notify/inotify/inotify_user.c
|
||||
@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
|
||||
{
|
||||
__u32 mask;
|
||||
|
||||
- /* everything should accept their own ignored and cares about children */
|
||||
- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
|
||||
+ /*
|
||||
+ * everything should accept their own ignored, cares about children,
|
||||
+ * and should receive events when the inode is unmounted
|
||||
+ */
|
||||
+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
|
||||
|
||||
/* mask off the flags used to open the fd */
|
||||
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
|
|
@ -1,35 +0,0 @@
|
|||
From: David S. Miller <davem@davemloft.net>
|
||||
Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
|
||||
Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
|
||||
|
||||
irda: Correctly clean up self->ias_obj on irda_bind() failure.
|
||||
|
||||
If irda_open_tsap() fails, the irda_bind() code tries to destroy
|
||||
the ->ias_obj object by hand, but does so wrongly.
|
||||
|
||||
In particular, it fails to a) release the hashbin attached to the
|
||||
object and b) reset the self->ias_obj pointer to NULL.
|
||||
|
||||
Fix both problems by using irias_delete_object() and explicitly
|
||||
setting self->ias_obj to NULL, just as irda_release() does.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index 79986a6..fd55b51 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
|
||||
|
||||
err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
|
||||
if (err < 0) {
|
||||
- kfree(self->ias_obj->name);
|
||||
- kfree(self->ias_obj);
|
||||
+ irias_delete_object(self->ias_obj);
|
||||
+ self->ias_obj = NULL;
|
||||
return err;
|
||||
}
|
||||
|
40
kernel.spec
40
kernel.spec
|
@ -47,7 +47,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 169
|
||||
%global baserelease 170
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -59,7 +59,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 22
|
||||
%define stable_update 23
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -638,8 +638,6 @@ Patch21: linux-2.6-tracehook.patch
|
|||
Patch22: linux-2.6-utrace.patch
|
||||
Patch23: linux-2.6-utrace-ptrace.patch
|
||||
|
||||
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
Patch141: linux-2.6-ps3-storage-alias.patch
|
||||
Patch143: linux-2.6-g5-therm-shutdown.patch
|
||||
Patch144: linux-2.6-vio-modalias.patch
|
||||
|
@ -829,16 +827,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch
|
|||
# l2tp: fix oops in pppol2tp_xmit (#607054)
|
||||
Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch
|
||||
|
||||
Patch14020: inotify-fix-inotify-oneshot-support.patch
|
||||
Patch14030: inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
Patch14050: crypto-add-async-hash-testing.patch
|
||||
|
||||
# Red Hat Bugzilla #610911
|
||||
Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
Patch14200: net-do-not-check-capable-if-kernel.patch
|
||||
|
||||
# Mitigate DOS with large argument lists
|
||||
|
@ -846,10 +839,6 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
|
|||
Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-2960
|
||||
Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
|
||||
# ==============================================================================
|
||||
%endif
|
||||
|
||||
|
@ -1323,8 +1312,6 @@ ApplyPatch linux-2.6-execshield.patch
|
|||
#
|
||||
# bugfixes to drivers and filesystems
|
||||
#
|
||||
# CVE-2010-3067
|
||||
ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
|
||||
# ext4
|
||||
|
||||
|
@ -1546,18 +1533,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
|
|||
# l2tp: fix oops in pppol2tp_xmit (#607054)
|
||||
ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch
|
||||
|
||||
# fix broken oneshot support and missing umount events (F13#607327)
|
||||
ApplyPatch inotify-fix-inotify-oneshot-support.patch
|
||||
ApplyPatch inotify-send-IN_UNMOUNT-events.patch
|
||||
|
||||
# add tests for crypto async hashing (#571577)
|
||||
ApplyPatch crypto-add-async-hash-testing.patch
|
||||
|
||||
ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
||||
|
||||
# CVE-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
# rhbz #598796
|
||||
ApplyPatch net-do-not-check-capable-if-kernel.patch
|
||||
|
||||
|
@ -1566,10 +1546,6 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
|||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# CVE-2010-2960
|
||||
ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS ====================================================
|
||||
%endif
|
||||
|
||||
|
@ -2222,7 +2198,17 @@ fi
|
|||
%kernel_variant_files -k vmlinux %{with_kdump} kdump
|
||||
|
||||
%changelog
|
||||
* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-169
|
||||
* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170
|
||||
- Linux 2.6.32.22
|
||||
- Drop merged patches:
|
||||
aio-check-for-multiplication-overflow-in-do_io_submit.patch
|
||||
inotify-fix-inotify-oneshot-support.patch
|
||||
inotify-send-IN_UNMOUNT-events.patch
|
||||
irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
|
||||
keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
|
||||
|
||||
* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169
|
||||
- Linux 2.6.32.22
|
||||
- Drop merged patches:
|
||||
01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
|
||||
Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
|
||||
|
||||
KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
|
||||
|
||||
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
|
||||
of the parent process's session keyring whether or not the parent has a session
|
||||
keyring [CVE-2010-2960].
|
||||
|
||||
This results in the following oops:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
|
||||
IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
|
||||
[<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
|
||||
[<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
if the parent process has no session keyring.
|
||||
|
||||
If the system is using pam_keyinit then it mostly protected against this as all
|
||||
processes derived from a login will have inherited the session keyring created
|
||||
by pam_keyinit during the log in procedure.
|
||||
|
||||
To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
|
||||
|
||||
Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
[ 2.6.32 backport ]
|
||||
|
||||
diff a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
|
||||
goto not_permitted;
|
||||
|
||||
/* the keyrings must have the same UID */
|
||||
- if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
|
||||
+ if ((pcred->tgcred->session_keyring &&
|
||||
+ pcred->tgcred->session_keyring->uid != mycred->euid) ||
|
||||
mycred->tgcred->session_keyring->uid != mycred->euid)
|
||||
goto not_permitted;
|
||||
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
|
||||
Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
|
||||
|
||||
KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
|
||||
|
||||
There's an protected access to the parent process's credentials in the middle
|
||||
of keyctl_session_to_parent(). This results in the following RCU warning:
|
||||
|
||||
===================================================
|
||||
[ INFO: suspicious rcu_dereference_check() usage. ]
|
||||
---------------------------------------------------
|
||||
security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
|
||||
|
||||
other info that might help us debug this:
|
||||
|
||||
rcu_scheduler_active = 1, debug_locks = 0
|
||||
1 lock held by keyctl-session-/2137:
|
||||
#0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
|
||||
|
||||
stack backtrace:
|
||||
Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
|
||||
Call Trace:
|
||||
[<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
|
||||
[<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
|
||||
[<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
|
||||
[<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
The code should take the RCU read lock to make sure the parents credentials
|
||||
don't go away, even though it's holding a spinlock and has IRQ disabled.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index b2b0998..3868c67 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
|
||||
keyring_r = NULL;
|
||||
|
||||
me = current;
|
||||
+ rcu_read_lock();
|
||||
write_lock_irq(&tasklist_lock);
|
||||
|
||||
parent = me->real_parent;
|
||||
@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
|
||||
set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
|
||||
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
if (oldcred)
|
||||
put_cred(oldcred);
|
||||
return 0;
|
||||
@@ -1327,6 +1329,7 @@ already_same:
|
||||
ret = 0;
|
||||
not_permitted:
|
||||
write_unlock_irq(&tasklist_lock);
|
||||
+ rcu_read_unlock();
|
||||
put_cred(cred);
|
||||
return ret;
|
||||
|
Loading…
Reference in New Issue