[kernel/f14] Fix CVE-2011-2723 and CVE-2011-2928

Josh Boyer jwboyer at fedoraproject.org
Thu Sep 15 13:57:42 UTC 2011 

commit bc96a9d65d2211b72bb6c94948aab804553fb1c3
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Thu Sep 15 09:57:03 2011 -0400

    Fix CVE-2011-2723 and CVE-2011-2928

 befs-Validate-length-of-long-symbolic-links.patch |   50 +++++++++++++++++++++
 gro-Only-reset-frag0-when-skb-can-be-pulled.patch |   39 ++++++++++++++++
 kernel.spec                                       |   16 +++++++
 3 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/befs-Validate-length-of-long-symbolic-links.patch b/befs-Validate-length-of-long-symbolic-links.patch
new file mode 100644
index 0000000..f53dfbf
--- /dev/null
+++ b/befs-Validate-length-of-long-symbolic-links.patch
@@ -0,0 +1,50 @@
+From 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns at pre-sense.de>
+Date: Wed, 17 Aug 2011 17:59:56 +0200
+Subject: [PATCH] befs: Validate length of long symbolic links.
+
+Signed-off-by: Timo Warns <warns at pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/befs/linuxvfs.c |   23 ++++++++++++++---------
+ 1 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ 		befs_data_stream *data = &befs_ino->i_data.ds;
+ 		befs_off_t len = data->size;
+ 
+-		befs_debug(sb, "Follow long symlink");
+-
+-		link = kmalloc(len, GFP_NOFS);
+-		if (!link) {
+-			link = ERR_PTR(-ENOMEM);
+-		} else if (befs_read_lsymlink(sb, data, link, len) != len) {
+-			kfree(link);
+-			befs_error(sb, "Failed to read entire long symlink");
++		if (len == 0) {
++			befs_error(sb, "Long symlink with illegal length");
+ 			link = ERR_PTR(-EIO);
+ 		} else {
+-			link[len - 1] = '\0';
++			befs_debug(sb, "Follow long symlink");
++
++			link = kmalloc(len, GFP_NOFS);
++			if (!link) {
++				link = ERR_PTR(-ENOMEM);
++			} else if (befs_read_lsymlink(sb, data, link, len) != len) {
++				kfree(link);
++				befs_error(sb, "Failed to read entire long symlink");
++				link = ERR_PTR(-EIO);
++			} else {
++				link[len - 1] = '\0';
++			}
+ 		}
+ 	} else {
+ 		link = befs_ino->i_data.symlink;
+-- 
+1.7.6
+
diff --git a/gro-Only-reset-frag0-when-skb-can-be-pulled.patch b/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
new file mode 100644
index 0000000..385fd86
--- /dev/null
+++ b/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
@@ -0,0 +1,39 @@
+From 17dd759c67f21e34f2156abcf415e1f60605a188 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed, 27 Jul 2011 06:16:28 -0700
+Subject: [PATCH] gro: Only reset frag0 when skb can be pulled
+
+Currently skb_gro_header_slow unconditionally resets frag0 and
+frag0_len.  However, when we can't pull on the skb this leaves
+the GRO fields in an inconsistent state.
+
+This patch fixes this by only resetting those fields after the
+pskb_may_pull test.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/linux/netdevice.h |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ 					unsigned int offset)
+ {
++	if (!pskb_may_pull(skb, hlen))
++		return NULL;
++
+ 	NAPI_GRO_CB(skb)->frag0 = NULL;
+ 	NAPI_GRO_CB(skb)->frag0_len = 0;
+-	return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++	return skb->data + offset;
+ }
+ 
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
+-- 
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index cc12bce..eadc187 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -864,6 +864,12 @@ Patch14050: x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
 # RHBZ #648571
 Patch14051: modules-Fix-module_bug_list-list-corruption-race.patch
 
+# CVE-2011-2723
+Patch14052: gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+Patch14053: befs-Validate-length-of-long-symbolic-links.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1627,6 +1633,12 @@ ApplyPatch x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
 # RHBZ #648571
 ApplyPatch modules-Fix-module_bug_list-list-corruption-race.patch
 
+# CVE-2011-2723
+ApplyPatch gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+ApplyPatch befs-Validate-length-of-long-symbolic-links.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2213,6 +2225,10 @@ fi
 # and build.
 
 %changelog
+* Thu Sep 15 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-2723: gro: Only reset frag0 when skb can be pulled
+- CVE-2011-2928: befs: Validate length of long symbolic links
+
 * Mon Sep 12 2011 Josh Boyer <jwboyer at redhat.com>
 - Backport 5336377d to fix RHBZ #648571

More information about the scm-commits mailing list