From 5e8c7c54a9b297dae0081dd19a7bb94e23040a3d Mon Sep 17 00:00:00 2001 From: Joshua Lock Date: Tue, 18 May 2010 14:51:13 +0100 Subject: linux-moblin: add 2.6.33.2 kernel from MeeGo 1.0 Signed-off-by: Joshua Lock --- ...-on-send-prior-to-entering-networked-mode.patch | 218 +++++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 meta-moblin/packages/linux/linux-moblin-2.6.33.2/linux-2.6.34-CVE-tipc-Fix-oops-on-send-prior-to-entering-networked-mode.patch (limited to 'meta-moblin/packages/linux/linux-moblin-2.6.33.2/linux-2.6.34-CVE-tipc-Fix-oops-on-send-prior-to-entering-networked-mode.patch') diff --git a/meta-moblin/packages/linux/linux-moblin-2.6.33.2/linux-2.6.34-CVE-tipc-Fix-oops-on-send-prior-to-entering-networked-mode.patch b/meta-moblin/packages/linux/linux-moblin-2.6.33.2/linux-2.6.34-CVE-tipc-Fix-oops-on-send-prior-to-entering-networked-mode.patch new file mode 100644 index 000000000..06bed6fe4 --- /dev/null +++ b/meta-moblin/packages/linux/linux-moblin-2.6.33.2/linux-2.6.34-CVE-tipc-Fix-oops-on-send-prior-to-entering-networked-mode.patch @@ -0,0 +1,218 @@ +From d0021b252eaf65ca07ed14f0d66425dd9ccab9a6 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 3 Mar 2010 08:31:23 +0000 +Subject: [PATCH] tipc: Fix oops on send prior to entering networked mode (v3) +Patch-mainline: 2.6.34 + +Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE + +user programs can oops the kernel by sending datagrams via AF_TIPC prior to +entering networked mode. The following backtrace has been observed: + +ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client" +[exception RIP: tipc_node_select_next_hop+90] +RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202 +RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001 +RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000 +R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008 +R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00 +ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 +RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206 +RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000 +RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003 +RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30 +ORIG_RAX: 000000000000002c CS: 0033 SS: 002b + +What happens is that, when the tipc module in inserted it enters a standalone +node mode in which communication to its own address is allowed <0.0.0> but not +to other addresses, since the appropriate data structures have not been +allocated yet (specifically the tipc_net pointer). There is nothing stopping a +client from trying to send such a message however, and if that happens, we +attempt to dereference tipc_net.zones while the pointer is still NULL, and +explode. The fix is pretty straightforward. Since these oopses all arise from +the dereference of global pointers prior to their assignment to allocated +values, and since these allocations are small (about 2k total), lets convert +these pointers to static arrays of the appropriate size. All the accesses to +these bits consider 0/NULL to be a non match when searching, so all the lookups +still work properly, and there is no longer a chance of a bad dererence +anywhere. As a bonus, this lets us eliminate the setup/teardown routines for +those pointers, and elimnates the need to preform any locking around them to +prevent access while their being allocated/freed. + +I've updated the tipc_net structure to behave this way to fix the exact reported +problem, and also fixed up the tipc_bearers and media_list arrays to fix an +obvious simmilar problem that arises from issuing tipc-config commands to +manipulate bearers/links prior to entering networked mode + +I've tested this for a few hours by running the sanity tests and stress test +with the tipcutils suite, and nothing has fallen over. There have been a few +lockdep warnings, but those were there before, and can be addressed later, as +they didn't actually result in any deadlock. + +Signed-off-by: Neil Horman +CC: Allan Stephens +CC: David S. Miller +CC: tipc-discussion@lists.sourceforge.net + + bearer.c | 37 ++++++------------------------------- + bearer.h | 2 +- + net.c | 25 ++++--------------------- + 3 files changed, 11 insertions(+), 53 deletions(-) +Signed-off-by: David S. Miller +Acked-by: Yong Wang +--- + net/tipc/bearer.c | 37 ++++++------------------------------- + net/tipc/bearer.h | 2 +- + net/tipc/net.c | 25 ++++--------------------- + 3 files changed, 11 insertions(+), 53 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 327011f..7809137 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -45,10 +45,10 @@ + + #define MAX_ADDR_STR 32 + +-static struct media *media_list = NULL; ++static struct media media_list[MAX_MEDIA]; + static u32 media_count = 0; + +-struct bearer *tipc_bearers = NULL; ++struct bearer tipc_bearers[MAX_BEARERS]; + + /** + * media_name_valid - validate media name +@@ -108,9 +108,11 @@ int tipc_register_media(u32 media_type, + int res = -EINVAL; + + write_lock_bh(&tipc_net_lock); +- if (!media_list) +- goto exit; + ++ if (tipc_mode != TIPC_NET_MODE) { ++ warn("Media <%s> rejected, not in networked mode yet\n", name); ++ goto exit; ++ } + if (!media_name_valid(name)) { + warn("Media <%s> rejected, illegal name\n", name); + goto exit; +@@ -660,33 +662,10 @@ int tipc_disable_bearer(const char *name) + + + +-int tipc_bearer_init(void) +-{ +- int res; +- +- write_lock_bh(&tipc_net_lock); +- tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC); +- media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC); +- if (tipc_bearers && media_list) { +- res = 0; +- } else { +- kfree(tipc_bearers); +- kfree(media_list); +- tipc_bearers = NULL; +- media_list = NULL; +- res = -ENOMEM; +- } +- write_unlock_bh(&tipc_net_lock); +- return res; +-} +- + void tipc_bearer_stop(void) + { + u32 i; + +- if (!tipc_bearers) +- return; +- + for (i = 0; i < MAX_BEARERS; i++) { + if (tipc_bearers[i].active) + tipc_bearers[i].publ.blocked = 1; +@@ -695,10 +674,6 @@ void tipc_bearer_stop(void) + if (tipc_bearers[i].active) + bearer_disable(tipc_bearers[i].publ.name); + } +- kfree(tipc_bearers); +- kfree(media_list); +- tipc_bearers = NULL; +- media_list = NULL; + media_count = 0; + } + +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index ca57348..000228e 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -114,7 +114,7 @@ struct bearer_name { + + struct link; + +-extern struct bearer *tipc_bearers; ++extern struct bearer tipc_bearers[]; + + void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a); + struct sk_buff *tipc_media_get_names(void); +diff --git a/net/tipc/net.c b/net/tipc/net.c +index 7906608..f25b1cd 100644 +--- a/net/tipc/net.c ++++ b/net/tipc/net.c +@@ -116,7 +116,8 @@ + */ + + DEFINE_RWLOCK(tipc_net_lock); +-struct network tipc_net = { NULL }; ++struct _zone *tipc_zones[256] = { NULL, }; ++struct network tipc_net = { tipc_zones }; + + struct tipc_node *tipc_net_select_remote_node(u32 addr, u32 ref) + { +@@ -158,28 +159,12 @@ void tipc_net_send_external_routes(u32 dest) + } + } + +-static int net_init(void) +-{ +- memset(&tipc_net, 0, sizeof(tipc_net)); +- tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC); +- if (!tipc_net.zones) { +- return -ENOMEM; +- } +- return 0; +-} +- + static void net_stop(void) + { + u32 z_num; + +- if (!tipc_net.zones) +- return; +- +- for (z_num = 1; z_num <= tipc_max_zones; z_num++) { ++ for (z_num = 1; z_num <= tipc_max_zones; z_num++) + tipc_zone_delete(tipc_net.zones[z_num]); +- } +- kfree(tipc_net.zones); +- tipc_net.zones = NULL; + } + + static void net_route_named_msg(struct sk_buff *buf) +@@ -282,9 +267,7 @@ int tipc_net_start(u32 addr) + tipc_named_reinit(); + tipc_port_reinit(); + +- if ((res = tipc_bearer_init()) || +- (res = net_init()) || +- (res = tipc_cltr_init()) || ++ if ((res = tipc_cltr_init()) || + (res = tipc_bclink_init())) { + return res; + } +-- +1.5.5.1 + -- cgit v1.2.3