[kernel/f14] Fix CVE-2011-2723 and CVE-2011-2928
Josh Boyer
jwboyer at fedoraproject.org
Thu Sep 15 13:57:42 UTC 2011
commit bc96a9d65d2211b72bb6c94948aab804553fb1c3
Author: Josh Boyer <jwboyer at redhat.com>
Date: Thu Sep 15 09:57:03 2011 -0400
Fix CVE-2011-2723 and CVE-2011-2928
befs-Validate-length-of-long-symbolic-links.patch | 50 +++++++++++++++++++++
gro-Only-reset-frag0-when-skb-can-be-pulled.patch | 39 ++++++++++++++++
kernel.spec | 16 +++++++
3 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/befs-Validate-length-of-long-symbolic-links.patch b/befs-Validate-length-of-long-symbolic-links.patch
new file mode 100644
index 0000000..f53dfbf
--- /dev/null
+++ b/befs-Validate-length-of-long-symbolic-links.patch
@@ -0,0 +1,50 @@
+From 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns at pre-sense.de>
+Date: Wed, 17 Aug 2011 17:59:56 +0200
+Subject: [PATCH] befs: Validate length of long symbolic links.
+
+Signed-off-by: Timo Warns <warns at pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/befs/linuxvfs.c | 23 ++++++++++++++---------
+ 1 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ befs_data_stream *data = &befs_ino->i_data.ds;
+ befs_off_t len = data->size;
+
+- befs_debug(sb, "Follow long symlink");
+-
+- link = kmalloc(len, GFP_NOFS);
+- if (!link) {
+- link = ERR_PTR(-ENOMEM);
+- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
+- kfree(link);
+- befs_error(sb, "Failed to read entire long symlink");
++ if (len == 0) {
++ befs_error(sb, "Long symlink with illegal length");
+ link = ERR_PTR(-EIO);
+ } else {
+- link[len - 1] = '\0';
++ befs_debug(sb, "Follow long symlink");
++
++ link = kmalloc(len, GFP_NOFS);
++ if (!link) {
++ link = ERR_PTR(-ENOMEM);
++ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
++ kfree(link);
++ befs_error(sb, "Failed to read entire long symlink");
++ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
++ }
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
+--
+1.7.6
+
diff --git a/gro-Only-reset-frag0-when-skb-can-be-pulled.patch b/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
new file mode 100644
index 0000000..385fd86
--- /dev/null
+++ b/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
@@ -0,0 +1,39 @@
+From 17dd759c67f21e34f2156abcf415e1f60605a188 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed, 27 Jul 2011 06:16:28 -0700
+Subject: [PATCH] gro: Only reset frag0 when skb can be pulled
+
+Currently skb_gro_header_slow unconditionally resets frag0 and
+frag0_len. However, when we can't pull on the skb this leaves
+the GRO fields in an inconsistent state.
+
+This patch fixes this by only resetting those fields after the
+pskb_may_pull test.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/linux/netdevice.h | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ unsigned int offset)
+ {
++ if (!pskb_may_pull(skb, hlen))
++ return NULL;
++
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+- return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++ return skb->data + offset;
+ }
+
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
+--
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index cc12bce..eadc187 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -864,6 +864,12 @@ Patch14050: x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
# RHBZ #648571
Patch14051: modules-Fix-module_bug_list-list-corruption-race.patch
+# CVE-2011-2723
+Patch14052: gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+Patch14053: befs-Validate-length-of-long-symbolic-links.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1627,6 +1633,12 @@ ApplyPatch x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
# RHBZ #648571
ApplyPatch modules-Fix-module_bug_list-list-corruption-race.patch
+# CVE-2011-2723
+ApplyPatch gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+ApplyPatch befs-Validate-length-of-long-symbolic-links.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2213,6 +2225,10 @@ fi
# and build.
%changelog
+* Thu Sep 15 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-2723: gro: Only reset frag0 when skb can be pulled
+- CVE-2011-2928: befs: Validate length of long symbolic links
+
* Mon Sep 12 2011 Josh Boyer <jwboyer at redhat.com>
- Backport 5336377d to fix RHBZ #648571
More information about the scm-commits
mailing list