[kernel] r17881 - dists/squeeze/linux-2.6/debian/patches/bugfix/all

Wed Aug 3 16:31:46 UTC 2011

Author: jmm
Date: Wed Aug  3 16:31:45 2011
New Revision: 17881

Log:
actually commit the patches...

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2183.patch
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2213.patch

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2183.patch
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2183.patch	Wed Aug  3 16:31:45 2011	(r17881)
@@ -0,0 +1,82 @@
+From: Hugh Dickins <hughd at google.com>
+Date: Wed, 15 Jun 2011 22:08:58 +0000 (-0700)
+Subject: ksm: fix NULL pointer dereference in scan_get_next_rmap_item()
+X-Git-Tag: v3.0-rc4~44
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=2b472611a32a72f4a118c069c2d62a1a3f087afd
+
+ksm: fix NULL pointer dereference in scan_get_next_rmap_item()
+
+Andrea Righi reported a case where an exiting task can race against
+ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily
+triggering a NULL pointer dereference in ksmd.
+
+ksm_scan.mm_slot == &ksm_mm_head with only one registered mm
+
+CPU 1 (__ksm_exit)		CPU 2 (scan_get_next_rmap_item)
+ 				list_empty() is false
+lock				slot == &ksm_mm_head
+list_del(slot->mm_list)
+(list now empty)
+unlock
+				lock
+				slot = list_entry(slot->mm_list.next)
+				(list is empty, so slot is still ksm_mm_head)
+				unlock
+				slot->mm == NULL ... Oops
+
+Close this race by revalidating that the new slot is not simply the list
+head again.
+
+Andrea's test case:
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/mman.h>
+
+#define BUFSIZE getpagesize()
+
+int main(int argc, char **argv)
+{
+	void *ptr;
+
+	if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
+		perror("posix_memalign");
+		exit(1);
+	}
+	if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
+		perror("madvise");
+		exit(1);
+	}
+	*(char *)NULL = 0;
+
+	return 0;
+}
+
+Reported-by: Andrea Righi <andrea at betterlinux.com>
+Tested-by: Andrea Righi <andrea at betterlinux.com>
+Cc: Andrea Arcangeli <aarcange at redhat.com>
+Signed-off-by: Hugh Dickins <hughd at google.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index d708b3e..9a68b0c 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -1302,6 +1302,12 @@ static struct rmap_item *scan_get_next_rmap_item(struct page **page)
+ 		slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
+ 		ksm_scan.mm_slot = slot;
+ 		spin_unlock(&ksm_mmlist_lock);
++		/*
++		 * Although we tested list_empty() above, a racing __ksm_exit
++		 * of the last mm on the list may have removed it since then.
++		 */
++		if (slot == &ksm_mm_head)
++			return NULL;
+ next_mm:
+ 		ksm_scan.address = 0;
+ 		ksm_scan.rmap_list = &slot->rmap_list;

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2213.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/CVE-2011-2213.patch	Wed Aug  3 16:31:45 2011	(r17881)
@@ -0,0 +1,72 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Fri, 17 Jun 2011 20:25:39 +0000 (-0400)
+Subject: inet_diag: fix inet_diag_bc_audit()
+X-Git-Tag: v3.0-rc4~5^2~8
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d
+
+inet_diag: fix inet_diag_bc_audit()
+
+A malicious user or buggy application can inject code and trigger an
+infinite loop in inet_diag_bc_audit()
+
+Also make sure each instruction is aligned on 4 bytes boundary, to avoid
+unaligned accesses.
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 6ffe94c..3267d38 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
+ 			return 0;
+ 		if (cc == len)
+ 			return 1;
+-		if (op->yes < 4)
++		if (op->yes < 4 || op->yes & 3)
+ 			return 0;
+ 		len -= op->yes;
+ 		bc  += op->yes;
+@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
+ 
+ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ {
+-	const unsigned char *bc = bytecode;
++	const void *bc = bytecode;
+ 	int  len = bytecode_len;
+ 
+ 	while (len > 0) {
+-		struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
++		const struct inet_diag_bc_op *op = bc;
+ 
+ //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
+ 		switch (op->code) {
+@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ 		case INET_DIAG_BC_S_LE:
+ 		case INET_DIAG_BC_D_GE:
+ 		case INET_DIAG_BC_D_LE:
+-			if (op->yes < 4 || op->yes > len + 4)
+-				return -EINVAL;
+ 		case INET_DIAG_BC_JMP:
+-			if (op->no < 4 || op->no > len + 4)
++			if (op->no < 4 || op->no > len + 4 || op->no & 3)
+ 				return -EINVAL;
+ 			if (op->no < len &&
+ 			    !valid_cc(bytecode, bytecode_len, len - op->no))
+ 				return -EINVAL;
+ 			break;
+ 		case INET_DIAG_BC_NOP:
+-			if (op->yes < 4 || op->yes > len + 4)
+-				return -EINVAL;
+ 			break;
+ 		default:
+ 			return -EINVAL;
+ 		}
++		if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
++			return -EINVAL;
+ 		bc  += op->yes;
+ 		len -= op->yes;
+ 	}

