tags 573490 + patch affects 573490 drbd8-source thanks On Thu, Mar 11, 2010 at 02:38:23PM -0700, dann frazier wrote: > On Thu, Mar 11, 2010 at 09:43:45PM +0100, Tomas Pospisek wrote: > > Package: linux-2.6 > > Version: 2.6.26-21lenny4 > > Severity: critical > > > > drbd fails to load and there goes my failover high available cluster... > > *t > > well, crap - we ignored that ABI change because google showed only an > old/deprecated module as an out-of-tree user, but we obviously missed > drbd. We'll work on an update to the drbd modules.
This patch builds for me, but I don't have a drbd setup. I'd appreciate it if someone could test it :)
diff -u drbd8-8.0.14/debian/changelog drbd8-8.0.14/debian/changelog --- drbd8-8.0.14/debian/changelog +++ drbd8-8.0.14/debian/changelog @@ -1,3 +1,10 @@ +drbd8 (2:8.0.14-2+lenny1) UNRELEASED; urgency=high + + * Update for connector API change in linux-2.6_2.6.26-21lenny4 + * Restrict netlink calls to users with CAP_SYS_ADMIN (CVE Requested) + + -- dann frazier <da...@debian.org> Thu, 11 Mar 2010 15:47:53 -0700 + drbd8 (2:8.0.14-2) unstable; urgency=low * Drop dpatch build-dependency. only in patch2: unchanged: --- drbd8-8.0.14.orig/user/drbdsetup.c +++ drbd8-8.0.14/user/drbdsetup.c @@ -408,6 +408,7 @@ EM(ProtocolCRequired) = "Protocol C required", EM(VMallocFailed) = "vmalloc() failed. Out of memory?", EM(DataOfWrongCurrent) = "Can only attach to the data we lost last (see kernel log).", + EM(ERR_PERM) = "Permission denied. CAP_SYS_ADMIN necessary", }; #define MAX_ERROR (sizeof(error_messages)/sizeof(*error_messages)) const char * error_to_string(int err_no) only in patch2: unchanged: --- drbd8-8.0.14.orig/drbd/drbd_nl.c +++ drbd8-8.0.14/drbd/drbd_nl.c @@ -1764,9 +1764,14 @@ }; +#ifdef KERNEL_HAS_CN_SKB_PARMS +STATIC void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms *nsp) +{ +#else STATIC void drbd_connector_callback(void *data) { struct cn_msg *req = data; +#endif struct drbd_nl_cfg_req *nlp = (struct drbd_nl_cfg_req *)req->data; struct cn_handler_struct *cm; struct cn_msg *cn_reply; @@ -1782,13 +1787,20 @@ return; } +#ifdef KERNEL_HAS_CN_SKB_PARMS + if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) { + retcode = ERR_PERM; + goto fail; + } +#endif + mdev = ensure_mdev(nlp); if (!mdev) { retcode = MinorNotKnown; goto fail; } - TRACE(TraceTypeNl, TraceLvlSummary, nl_trace_packet(data);); + TRACE(TraceTypeNl, TraceLvlSummary, nl_trace_packet(req);); if (nlp->packet_type >= P_nl_after_last_packet) { retcode = UnknownNetLinkPacket; only in patch2: unchanged: --- drbd8-8.0.14.orig/drbd/linux/drbd_config.h +++ drbd8-8.0.14/drbd/linux/drbd_config.h @@ -85,4 +85,8 @@ //#define NEED_SG_SET_BUF #define HAVE_LINUX_SCATTERLIST_H +/* In 2.6.32 we finally fixed connector to pass netlink_skb_parms to the callback + */ +#define KERNEL_HAS_CN_SKB_PARMS + #endif only in patch2: unchanged: --- drbd8-8.0.14.orig/drbd/linux/drbd.h +++ drbd8-8.0.14/drbd/linux/drbd.h @@ -140,6 +140,7 @@ CSUMSResyncRunning, /* DRBD 8.2 only */ VERIFYIsRunning, /* DRBD 8.2 only */ DataOfWrongCurrent, + ERR_PERM, /* insert new ones above this line */ AfterLastRetCode only in patch2: unchanged: --- drbd8-8.0.14.orig/scripts/adjust_drbd_config_h.sh +++ drbd8-8.0.14/scripts/adjust_drbd_config_h.sh @@ -104,6 +104,11 @@ have_linux_scatterlist_h=0 need_sg_set_buf=1 fi + if grep_q "netlink_skb_parms" $KDIR/include/linux/connector.h ; then + have_netlink_skb_parms=1 + else + have_netlink_skb_parms=0 + fi else # not a 2.6. kernel. just leave it alone... exit 0 @@ -131,6 +136,8 @@ { ( $need_sg_set_buf ? '' : '//' ) . \$1}e; s{.*(#define HAVE_LINUX_SCATTERLIST_H.*)} { ( $have_linux_scatterlist_h ? '' : '//' ) . \$1}e; + s{.*(#define KERNEL_HAS_CN_SKB_PARMS.*)} + { ( $have_netlink_skb_parms ? '' : '//' ) . \$1}e; " \ < ./linux/drbd_config.h \ > ./linux/drbd_config.h.new