[kernel/f14/master] Fix credentials leakage regression (#700637)
Chuck Ebbert
cebbert at fedoraproject.org
Tue May 3 13:09:07 UTC 2011
commit 2c4c81ad30245905988c1d3cb87e31ac1187ad39
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Tue May 3 09:09:02 2011 -0400
Fix credentials leakage regression (#700637)
...ink-add-needed-scm_destroy-after-scm_send.patch | 57 ++++++++++++++++++++
kernel.spec | 9 +++
...ink-add-needed-scm-destroy-after-scm-send.patch | 29 ++++++++++
3 files changed, 95 insertions(+), 0 deletions(-)
---
diff --git a/af_netlink-add-needed-scm_destroy-after-scm_send.patch b/af_netlink-add-needed-scm_destroy-after-scm_send.patch
new file mode 100644
index 0000000..df8c69c
--- /dev/null
+++ b/af_netlink-add-needed-scm_destroy-after-scm_send.patch
@@ -0,0 +1,57 @@
+From: Eric W. Biederman <ebiederm at xmission.com>
+Date: Sun, 13 Jun 2010 03:31:06 +0000 (+0000)
+Subject: af_netlink: Add needed scm_destroy after scm_send.
+X-Git-Tag: v2.6.36-rc1~571^2~552
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6
+
+af_netlink: Add needed scm_destroy after scm_send.
+
+scm_send occasionally allocates state in the scm_cookie, so I have
+modified netlink_sendmsg to guarantee that when scm_send succeeds
+scm_destory will be called to free that state.
+
+Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano at free.fr>
+Acked-by: Pavel Emelyanov <xemul at openvz.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index a2eb965..7aeaa83 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1323,19 +1323,23 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ if (msg->msg_flags&MSG_OOB)
+ return -EOPNOTSUPP;
+
+- if (NULL == siocb->scm)
++ if (NULL == siocb->scm) {
+ siocb->scm = &scm;
++ memset(&scm, 0, sizeof(scm));
++ }
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
+
+ if (msg->msg_namelen) {
++ err = -EINVAL;
+ if (addr->nl_family != AF_NETLINK)
+- return -EINVAL;
++ goto out;
+ dst_pid = addr->nl_pid;
+ dst_group = ffs(addr->nl_groups);
++ err = -EPERM;
+ if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+- return -EPERM;
++ goto out;
+ } else {
+ dst_pid = nlk->dst_pid;
+ dst_group = nlk->dst_group;
+@@ -1387,6 +1391,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
+
+ out:
++ scm_destroy(siocb->scm);
+ return err;
+ }
+
diff --git a/kernel.spec b/kernel.spec
index cd9e39b..9c14ca7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -839,6 +839,10 @@ Patch13958: agp-fix-oom-and-buffer-overflow.patch
# CVE-2011-1494, CVE-2011-1495
Patch13960: scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
+# fix credentials leakage regression (#700637)
+Patch13961: revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+Patch13962: af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1577,6 +1581,10 @@ ApplyPatch agp-fix-oom-and-buffer-overflow.patch
# CVE-2011-1494, CVE-2011-1495
ApplyPatch scsi-mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
+# fix credentials leakage regression (#700637)
+ApplyPatch revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
+ApplyPatch af_netlink-add-needed-scm_destroy-after-scm_send.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2168,6 +2176,7 @@ fi
(CVE-2011-1494, CVE-2011-1495)
- agp: fix arbitrary kernel memory writes (CVE-2011-1745)
- agp: fix OOM and buffer overflow (CVE-2011-1746)
+- Fix credentials leakage regression (#700637)
* Thu Apr 29 2011 Chuck Ebbert <cebbert at redhat.com>
- Linux 2.6.35.13
diff --git a/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch b/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
new file mode 100644
index 0000000..46314a7
--- /dev/null
+++ b/revert-incomplete-af_netlink-add-needed-scm-destroy-after-scm-send.patch
@@ -0,0 +1,29 @@
+2.6.35.11 added two patches:
+ af_netlink-add-needed-scm_destroy-after-scm_send
+ fix-cred-leak-in-af_netlink
+
+The first one was supposedly a backport of upstream commit
+b47030c71dfd6c8cd5cb6e551b6f7f7cfc96f6a6, but it was incomplete and the
+rest of that commit was in the second patch. I asked for the second
+patch to be reverted in 2.6.35.12, thinking it was a duplicate fix for
+the credentials leakage, and that caused the leak to return. This patch
+reverts the first of those two patches so we can apply the complete
+upstream patch.
+
+Signed-off-by: Chuck Ebbert <cebbert at redhat.com>
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1323,11 +1323,8 @@
+ if (msg->msg_flags&MSG_OOB)
+ return -EOPNOTSUPP;
+
++ if (NULL == siocb->scm)
+- if (NULL == siocb->scm) {
+ siocb->scm = &scm;
+- memset(&scm, 0, sizeof(scm));
+- }
+-
+ err = scm_send(sock, msg, siocb->scm);
+ if (err < 0)
+ return err;
More information about the scm-commits
mailing list