Apply regression and security fixes previously committed for 3.11.10-1

* net: clamp ->msg_namelen instead of returning an error
  * tcp: tsq: restore minimal amount of queueing
  * rds: prevent BUG_ON triggered on congestion update to loopback
    (CVE-2012-2372)
  * ipv6: fix headroom calculation in udp6_ufo_fragment (CVE-2013-4563)
  * [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381)
  * xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382)

svn path=/dists/trunk/linux/; revision=20839
This commit is contained in:
Ben Hutchings 2013-12-02 04:54:15 +00:00
parent c0e9d9ca3b
commit e10fc52041
8 changed files with 305 additions and 0 deletions

7
debian/changelog vendored
View File

@ -14,6 +14,13 @@ linux (3.12.2-1~exp1) UNRELEASED; urgency=low
* Enable CHECKPOINT_RESTORE (Closes: #682700)
* Enable JUMP_LABEL (Closes: #730071)
* [x86] staging: Enable CRYSTALHD as module (Closes: #730832)
* net: clamp ->msg_namelen instead of returning an error
* tcp: tsq: restore minimal amount of queueing
* rds: prevent BUG_ON triggered on congestion update to loopback
(CVE-2012-2372)
* ipv6: fix headroom calculation in udp6_ufo_fragment (CVE-2013-4563)
* [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381)
* xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382)
[ Bastian Blank ]
* Use compiler name instead of Linux version in compiler meta-packages.

View File

@ -0,0 +1,35 @@
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Tue, 5 Nov 2013 02:41:27 +0100
Subject: ipv6: fix headroom calculation in udp6_ufo_fragment
Origin: https://git.kernel.org/linus/0e033e04c2678dbbe74a46b23fffb7bb918c288e
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
fragmentation for tunnel traffic.") changed the calculation if
there is enough space to include a fragment header in the skb from a
skb->mac_header dervived one to skb_headroom. Because we already peeled
off the skb to transport_header this is wrong. Change this back to check
if we have enough room before the mac_header.
This fixes a panic Saran Neti reported. He used the tbf scheduler which
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
because the skb was erroneously not expanded at the head.
Reported-by: Saran Neti <Saran.Neti@telus.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv6/udp_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment
/* Check if there is enough headroom to insert fragment header. */
tnl_hlen = skb_tnl_header_len(skb);
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
goto out;
}

View File

@ -0,0 +1,47 @@
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 27 Nov 2013 15:40:21 +0300
Subject: net: clamp ->msg_namelen instead of returning an error
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=db31c55a6fb245fdbb752a2ca4aefec89afabb06
If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
original code that would lead to memory corruption in the kernel if you
had audit configured. If you didn't have audit configured it was
harmless.
There are some programs such as beta versions of Ruby which use too
large of a buffer and returning an error code breaks them. We should
clamp the ->msg_namelen value instead.
Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
Reported-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Eric Wong <normalperson@yhbt.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/compat.c | 2 +-
net/socket.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/compat.c
+++ b/net/compat.c
@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kms
__get_user(kmsg->msg_flags, &umsg->msg_flags))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
kmsg->msg_name = compat_ptr(tmp1);
kmsg->msg_iov = compat_ptr(tmp2);
kmsg->msg_control = compat_ptr(tmp3);
--- a/net/socket.c
+++ b/net/socket.c
@@ -1970,7 +1970,7 @@ static int copy_msghdr_from_user(struct
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
return 0;
}

View File

@ -0,0 +1,36 @@
Subject: rds: prevent BUG_ON triggered on congestion update to loopback
From: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Date: Mon, 25 Nov 2013 09:47:34 +0300
Origin: http://patchwork.ozlabs.org/patch/293827/
After congestion update on a local connection, when rds_ib_xmit returns
less bytes than that are there in the message, rds_send_xmit calls
back rds_ib_xmit with an offset that causes BUG_ON(off & RDS_FRAG_SIZE)
to trigger.
Reported-by: Josh Hunt <joshhunt00@gmail.com>
Tested-by: Honggang Li <honli@redhat.com>
Acked-by: Bang Nguyen <bang.nguyen@oracle.com>
Signed-off-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/rds/ib_send.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index e590949..37be6e2 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -552,9 +552,8 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
&& rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
scat = &rm->data.op_sg[sg];
- ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
- ret = min_t(int, ret, scat->length - conn->c_xmit_data_off);
- return ret;
+ ret = max_t(int, RDS_CONG_MAP_BYTES, scat->length);
+ return sizeof(struct rds_header) + ret;
}
/* FIXME we may overallocate here */

View File

@ -0,0 +1,85 @@
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 13 Nov 2013 06:32:54 -0800
Subject: tcp: tsq: restore minimal amount of queueing
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=98e09386c0ef4dfd48af7ba60ff908f0d525cdee
After commit c9eeec26e32e ("tcp: TSQ can use a dynamic limit"), several
users reported throughput regressions, notably on mvneta and wifi
adapters.
802.11 AMPDU requires a fair amount of queueing to be effective.
This patch partially reverts the change done in tcp_write_xmit()
so that the minimal amount is sysctl_tcp_limit_output_bytes.
It also remove the use of this sysctl while building skb stored
in write queue, as TSO autosizing does the right thing anyway.
Users with well behaving NICS and correct qdisc (like sch_fq),
can then lower the default sysctl_tcp_limit_output_bytes value from
128KB to 8KB.
This new usage of sysctl_tcp_limit_output_bytes permits each driver
authors to check how their driver performs when/if the value is set
to a minimum of 4KB.
Normally, line rate for a single TCP flow should be possible,
but some drivers rely on timers to perform TX completion and
too long TX completion delays prevent reaching full throughput.
Fixes: c9eeec26e32e ("tcp: TSQ can use a dynamic limit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Sujith Manoharan <sujith@msujith.org>
Reported-by: Arnaud Ebalard <arno@natisbad.org>
Tested-by: Sujith Manoharan <sujith@msujith.org>
Cc: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
Documentation/networking/ip-sysctl.txt | 3 ---
net/ipv4/tcp.c | 6 ------
net/ipv4/tcp_output.c | 6 +++++-
3 files changed, 5 insertions(+), 10 deletions(-)
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER
typical pfifo_fast qdiscs.
tcp_limit_output_bytes limits the number of bytes on qdisc
or device to reduce artificial RTT/cwnd and reduce bufferbloat.
- Note: For GSO/TSO enabled flows, we try to have at least two
- packets in flight. Reducing tcp_limit_output_bytes might also
- reduce the size of individual GSO packet (64KB being the max)
Default: 131072
tcp_challenge_ack_limit - INTEGER
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(s
xmit_size_goal = min_t(u32, gso_size,
sk->sk_gso_max_size - 1 - hlen);
- /* TSQ : try to have at least two segments in flight
- * (one in NIC TX ring, another in Qdisc)
- */
- xmit_size_goal = min_t(u32, xmit_size_goal,
- sysctl_tcp_limit_output_bytes >> 1);
-
xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal);
/* We try hard to avoid divides here */
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock *
* - better RTT estimation and ACK scheduling
* - faster recovery
* - high rates
+ * Alas, some drivers / subsystems require a fair amount
+ * of queued bytes to ensure line rate.
+ * One example is wifi aggregation (802.11 AMPDU)
*/
- limit = max(skb->truesize, sk->sk_pacing_rate >> 10);
+ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes,
+ sk->sk_pacing_rate >> 10);
if (atomic_read(&sk->sk_wmem_alloc) > limit) {
set_bit(TSQ_THROTTLED, &tp->tsq_flags);

View File

@ -0,0 +1,46 @@
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat, 23 Nov 2013 15:59:42 +1100
Subject: xfs: underflow bug in xfs_attrlist_by_handle()
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
If we allocate less than sizeof(struct attrlist) then we end up corrupting
memory or doing a ZERO_PTR_SIZE dereference.
This can only be triggered with CAP_SYS_ADMIN.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Acked-by: Ben Myers <bpm@sgi.com>
Cc: Alex Elder <elder@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
fs/xfs/xfs_ioctl.c | 3 ++-
fs/xfs/xfs_ioctl32.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -443,7 +443,8 @@ xfs_attrlist_by_handle(
return -XFS_ERROR(EPERM);
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle(
if (copy_from_user(&al_hreq, arg,
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*

View File

@ -0,0 +1,43 @@
From: Ursula Braun <ursula.braun@de.ibm.com>
Date: Wed, 6 Nov 2013 09:04:52 +0100
Subject: qeth: avoid buffer overflow in snmp ioctl
Origin: https://git.kernel.org/linus/6fb392b1a63ae36c31f62bc3fc8630b49d602b62
Check user-defined length in snmp ioctl request and allow request
only if it fits into a qeth command buffer.
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Reviewed-by: Heiko Carstens <heicars2@linux.vnet.ibm.com>
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/s390/net/qeth_core_main.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index 0a328d0..bd8c09e 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -4451,7 +4451,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
struct qeth_cmd_buffer *iob;
struct qeth_ipa_cmd *cmd;
struct qeth_snmp_ureq *ureq;
- int req_len;
+ unsigned int req_len;
struct qeth_arp_query_info qinfo = {0, };
int rc = 0;
@@ -4467,6 +4467,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
/* skip 4 bytes (data_len struct member) to get req_len */
if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int)))
return -EFAULT;
+ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE -
+ sizeof(struct qeth_ipacmd_hdr) -
+ sizeof(struct qeth_ipacmd_setadpparms_hdr)))
+ return -EINVAL;
ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr));
if (IS_ERR(ureq)) {
QETH_CARD_TEXT(card, 2, "snmpnome");

View File

@ -75,3 +75,9 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
bugfix/all/HID-uhid-fix-leak-for-64-32-UHID_CREATE.mbox
bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch
bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch
bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch
bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch