Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=b4b23d780dcb9d8fbef5249dcd33370b54a0e902

commit b4b23d780dcb9d8fbef5249dcd33370b54a0e902
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Wed Dec 8 17:38:10 2010 +0100

kernel-2.6.36-3-i686

- fix bug #4384

diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild
index b2b7095..1183cc0 100644
--- a/source/base/kernel/FrugalBuild
+++ b/source/base/kernel/FrugalBuild
@@ -3,7 +3,11 @@

USE_DEVEL=${USE_DEVEL:-"n"}

-if Fuse $USE_DEVEL; then
+if ! Fuse $USE_DEVEL; then
+       
_F_kernel_patches=(econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
 \
+       econet-fix-cve-2010-3848.patch \
+       econet-fix-cve-2010-3850.patch)
+else
# example for a tagged rc release: 2.6.32.rc5
# example for a random snapshot (based on git describe output): 
2.6.32.rc5.81.g964fe08
pkgver=2.6.32.rc5
diff --git 
a/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
 
b/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
new file mode 100644
index 0000000..0382d9c
--- /dev/null
+++ 
b/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
@@ -0,0 +1,62 @@
+From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <ph...@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:19 -0800
+Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+From: Phil Blundell <ph...@gnu.org>
+
+commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
+
+Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+with EINVAL if NULL was passed otherwise an oops may occur.
+
+Signed-off-by: Phil Blundell <ph...@gnu.org>
+Signed-off-by: David S. Miller <da...@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
+
+---
+ net/econet/af_econet.c |   26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *
+
+       mutex_lock(&econet_mutex);
+
+-      if (saddr == NULL) {
+-              struct econet_sock *eo = ec_sk(sk);
+-
+-              addr.station = eo->station;
+-              addr.net     = eo->net;
+-              port         = eo->port;
+-              cb           = eo->cb;
+-      } else {
+-              if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+-                      mutex_unlock(&econet_mutex);
+-                      return -EINVAL;
+-              }
+-              addr.station = saddr->addr.station;
+-              addr.net = saddr->addr.net;
+-              port = saddr->port;
+-              cb = saddr->cb;
+-      }
++        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++                mutex_unlock(&econet_mutex);
++                return -EINVAL;
++        }
++        addr.station = saddr->addr.station;
++        addr.net = saddr->addr.net;
++        port = saddr->port;
++        cb = saddr->cb;
+
+       /* Look for a device with the right network number. */
+       dev = net2dev_map[addr.net];
+@@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *
+
+               eb = (struct ec_cb *)&skb->cb;
+
+-              /* BUG: saddr may be NULL */
+               eb->cookie = saddr->cookie;
+               eb->sec = *saddr;
+               eb->sent = ec_tx_done;
diff --git a/source/base/kernel/econet-fix-cve-2010-3848.patch 
b/source/base/kernel/econet-fix-cve-2010-3848.patch
new file mode 100644
index 0000000..5af7858
--- /dev/null
+++ b/source/base/kernel/econet-fix-cve-2010-3848.patch
@@ -0,0 +1,154 @@
+From a27e13d370415add3487949c60810e36069a23a6 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <ph...@gnu.org>
+Date: Wed, 24 Nov 2010 11:51:47 -0800
+Subject: econet: fix CVE-2010-3848
+
+From: Phil Blundell <ph...@gnu.org>
+
+commit a27e13d370415add3487949c60810e36069a23a6 upstream.
+
+Don't declare variable sized array of iovecs on the stack since this
+could cause stack overflow if msg->msgiovlen is large.  Instead, coalesce
+the user-supplied data into a new buffer and use a single iovec for it.
+
+Signed-off-by: Phil Blundell <ph...@gnu.org>
+Signed-off-by: David S. Miller <da...@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
+
+---
+ net/econet/af_econet.c |   62 
++++++++++++++++++++++++-------------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -31,6 +31,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/udp.h>
+ #include <linux/slab.h>
++#include <linux/vmalloc.h>
+ #include <net/sock.h>
+ #include <net/inet_common.h>
+ #include <linux/stat.h>
+@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *
+ #endif
+ #ifdef CONFIG_ECONET_AUNUDP
+       struct msghdr udpmsg;
+-      struct iovec iov[msg->msg_iovlen+1];
++      struct iovec iov[2];
+       struct aunhdr ah;
+       struct sockaddr_in udpdest;
+       __kernel_size_t size;
+-      int i;
+       mm_segment_t oldfs;
++      char *userbuf;
+ #endif
+
+       /*
+@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb *
+               }
+       }
+
+-      if (len + 15 > dev->mtu) {
+-              mutex_unlock(&econet_mutex);
+-              return -EMSGSIZE;
+-      }
+-
+       if (dev->type == ARPHRD_ECONET) {
+               /* Real hardware Econet.  We're not worthy etc. */
+ #ifdef CONFIG_ECONET_NATIVE
+               unsigned short proto = 0;
+               int res;
+
++              if (len + 15 > dev->mtu) {
++                      mutex_unlock(&econet_mutex);
++                      return -EMSGSIZE;
++              }
++
+               dev_hold(dev);
+
+               skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb *
+               return -ENETDOWN;               /* No socket - can't send */
+       }
+
++      if (len > 32768) {
++              err = -E2BIG;
++              goto error;
++      }
++
+       /* Make up a UDP datagram and hand it off to some higher intellect. */
+
+       memset(&udpdest, 0, sizeof(udpdest));
+@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb *
+
+       /* tack our header on the front of the iovec */
+       size = sizeof(struct aunhdr);
+-      /*
+-       * XXX: that is b0rken.  We can't mix userland and kernel pointers
+-       * in iovec, since on a lot of platforms copy_from_user() will
+-       * *not* work with the kernel and userland ones at the same time,
+-       * regardless of what we do with set_fs().  And we are talking about
+-       * econet-over-ethernet here, so "it's only ARM anyway" doesn't
+-       * apply.  Any suggestions on fixing that code?         -- AV
+-       */
+       iov[0].iov_base = (void *)&ah;
+       iov[0].iov_len = size;
+-      for (i = 0; i < msg->msg_iovlen; i++) {
+-              void __user *base = msg->msg_iov[i].iov_base;
+-              size_t iov_len = msg->msg_iov[i].iov_len;
+-              /* Check it now since we switch to KERNEL_DS later. */
+-              if (!access_ok(VERIFY_READ, base, iov_len)) {
+-                      mutex_unlock(&econet_mutex);
+-                      return -EFAULT;
+-              }
+-              iov[i+1].iov_base = base;
+-              iov[i+1].iov_len = iov_len;
+-              size += iov_len;
++
++      userbuf = vmalloc(len);
++      if (userbuf == NULL) {
++              err = -ENOMEM;
++              goto error;
+       }
+
++      iov[1].iov_base = userbuf;
++      iov[1].iov_len = len;
++      err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
++      if (err)
++              goto error_free_buf;
++
+       /* Get a skbuff (no data, just holds our cb information) */
+       if ((skb = sock_alloc_send_skb(sk, 0,
+                                      msg->msg_flags & MSG_DONTWAIT,
+-                                     &err)) == NULL) {
+-              mutex_unlock(&econet_mutex);
+-              return err;
+-      }
++                                     &err)) == NULL)
++              goto error_free_buf;
+
+       eb = (struct ec_cb *)&skb->cb;
+
+@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb *
+       udpmsg.msg_name = (void *)&udpdest;
+       udpmsg.msg_namelen = sizeof(udpdest);
+       udpmsg.msg_iov = &iov[0];
+-      udpmsg.msg_iovlen = msg->msg_iovlen + 1;
++      udpmsg.msg_iovlen = 2;
+       udpmsg.msg_control = NULL;
+       udpmsg.msg_controllen = 0;
+       udpmsg.msg_flags=0;
+@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb *
+       oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
+       err = sock_sendmsg(udpsock, &udpmsg, size);
+       set_fs(oldfs);
++
++error_free_buf:
++      vfree(userbuf);
+ #else
+       err = -EPROTOTYPE;
+ #endif
++      error:
+       mutex_unlock(&econet_mutex);
+
+       return err;
diff --git a/source/base/kernel/econet-fix-cve-2010-3850.patch 
b/source/base/kernel/econet-fix-cve-2010-3850.patch
new file mode 100644
index 0000000..08d9904
--- /dev/null
+++ b/source/base/kernel/econet-fix-cve-2010-3850.patch
@@ -0,0 +1,31 @@
+From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <ph...@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:53 -0800
+Subject: econet: fix CVE-2010-3850
+
+From: Phil Blundell <ph...@gnu.org>
+
+commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
+
+Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+Signed-off-by: Phil Blundell <ph...@gnu.org>
+Signed-off-by: David S. Miller <da...@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
+
+---
+ net/econet/af_econet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -661,6 +661,9 @@ static int ec_dev_ioctl(struct socket *s
+       err = 0;
+       switch (cmd) {
+       case SIOCSIFADDR:
++              if (!capable(CAP_NET_ADMIN))
++                      return -EPERM;
++
+               edev = dev->ec_ptr;
+               if (edev == NULL) {
+                       /* Magic up a new one. */
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to