[kernel/f14/master] Fix credentials leakage regression (#700637)

Tue May 3 13:09:07 UTC 2011

commit 2c4c81ad30245905988c1d3cb87e31ac1187ad39
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Tue May 3 09:09:02 2011 -0400

    Fix credentials leakage regression (#700637)

 ...ink-add-needed-scm_destroy-after-scm_send.patch |   57 ++++++++++++++++++++
 kernel.spec                                        |    9 +++
 ...ink-add-needed-scm-destroy-after-scm-send.patch |   29 ++++++++++
 3 files changed, 95 insertions(+), 0 deletions(-)
---

diff --git a/af_netlink-add-needed-scm_destroy-after-scm_send.patch b/af_netlink-add-needed-scm_destroy-after-scm_send.patch
new file mode 100644
index 0000000..df8c69c
--- /dev/null
+++ b/af_netlink-add-needed-scm_destroy-after-scm_send.patch
@@ -0,0 +1,57 @@
+From: Eric W. Biederman <ebiederm at xmission.com>
+Date: Sun, 13 Jun 2010 03:31:06 +0000 (+0000)
+Subject: af_netlink: Add needed scm_destroy after scm_send.
+X-Git-Tag: v2.6.36-rc1~571^2~552
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6
+
+af_netlink: Add needed scm_destroy after scm_send.
+
+scm_send occasionally allocates state in the scm_cookie, so I have
+modified netlink_sendmsg to guarantee that when scm_send succeeds
+scm_destory will be called to free that state.
+
+Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano at free.fr>
+Acked-by: Pavel Emelyanov <xemul at openvz.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index a2eb965..7aeaa83 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1323,19 +1323,23 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (msg->msg_flags&MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+-	if (NULL == siocb->scm)
++	if (NULL == siocb->scm) {
+ 		siocb->scm = &scm;
++		memset(&scm, 0, sizeof(scm));
++	}
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
+ 
+ 	if (msg->msg_namelen) {
++		err = -EINVAL;
+ 		if (addr->nl_family != AF_NETLINK)
+-			return -EINVAL;
++			goto out;
+ 		dst_pid = addr->nl_pid;
+ 		dst_group = ffs(addr->nl_groups);
++		err =  -EPERM;
+ 		if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+-			return -EPERM;
++			goto out;
+ 	} else {
+ 		dst_pid = nlk->dst_pid;
+ 		dst_group = nlk->dst_group;
+@@ -1387,6 +1391,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
+ 
+ out:
++	scm_destroy(siocb->scm);
+ 	return err;
+ }
+ 
diff --git a/kernel.spec b/kernel.spec
index cd9e39b..9c14ca7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -839,6 +839,10 @@ Patch13958: agp-fix-oom-and-buffer-overflow.patch
 # CVE-2011-1494, CVE-2011-1495
 Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
 
+# fix credentials leakage regression (#700637)
+Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1577,6 +1581,10 @@ ApplyPatch agp-fix-oom-and-buffer-overflow.patch
 # CVE-2011-1494, CVE-2011-1495
 ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
 
+# fix credentials leakage regression (#700637)
+ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2168,6 +2176,7 @@ fi
   (CVE-2011-1494, CVE-2011-1495)
 - agp: fix arbitrary kernel memory writes (CVE-2011-1745)
 - agp: fix OOM and buffer overflow (CVE-2011-1746)
+- Fix credentials leakage regression (#700637)
 
 * Thu Apr 29 2011 Chuck Ebbert <cebbert at redhat.com>
 - Linux 2.6.35.13
diff --git a/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch b/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
new file mode 100644
index 0000000..46314a7
--- /dev/null
+++ b/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
@@ -0,0 +1,29 @@
+2.6.35.11 added two patches:
+  af_netlink-add-needed-scm_destroy-after-scm_send
+  fix-cred-leak-in-af_netlink
+
+The first one was supposedly a backport of upstream commit
+b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6, but it was incomplete and the
+rest of that commit was in the second patch. I asked for the second
+patch to be reverted in 2.6.35.12, thinking it was a duplicate fix for
+the credentials leakage, and that caused the leak to return. This patch
+reverts the first of those two patches so we can apply the complete
+upstream patch.
+
+Signed-off-by: Chuck Ebbert <cebbert at redhat.com>
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1323,11 +1323,8 @@
+ 	if (msg->msg_flags&MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
++	if (NULL == siocb->scm)
+-	if (NULL == siocb->scm) {
+ 		siocb->scm = &scm;
+-		memset(&scm, 0, sizeof(scm));
+-	}
+-
+ 	err = scm_send(sock, msg, siocb->scm);
+ 	if (err < 0)
+ 		return err;
