SOURCES (LINUX_2_6): kernel-small_fixes.patch - af_unix: netns: fix problem...

Sat Dec 13 21:18:21 CET 2008

Author: baggins                      Date: Sat Dec 13 20:18:21 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- af_unix: netns: fix problem of return value
- ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table

---- Files affected:
SOURCES:
   kernel-small_fixes.patch (1.1.2.13 -> 1.1.2.14) 

---- Diffs:

================================================================
Index: SOURCES/kernel-small_fixes.patch
diff -u SOURCES/kernel-small_fixes.patch:1.1.2.13 SOURCES/kernel-small_fixes.patch:1.1.2.14

--- SOURCES/kernel-small_fixes.patch:1.1.2.13	Sat Dec  6 00:26:15 2008
+++ SOURCES/kernel-small_fixes.patch	Sat Dec 13 21:18:15 2008
@@ -189,3 +189,78 @@
  		goto std_return;
  	}
 
+From 4120bf257ec59ca4381af5be565e6e1e68b542c1 Mon Sep 17 00:00:00 2001
+From: Jianjun Kong <jianjun at zeuux.org>
+Date: Sat, 1 Nov 2008 21:37:27 -0700
+Subject: af_unix: netns: fix problem of return value
+
+From: Jianjun Kong <jianjun at zeuux.org>
+
+[ Upstream commit 48dcc33e5e11de0f76b65b113988dbc930d17395 ]
+
+fix problem of return value
+
+net/unix/af_unix.c: unix_net_init()
+when error appears, it should return 'error', not always return 0.
+
+Signed-off-by: Jianjun Kong <jianjun at zeuux.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+
+---
+ net/unix/af_unix.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2230,7 +2230,7 @@ static int unix_net_init(struct net *net
+ #endif
+ 	error = 0;
+ out:
+-	return 0;
++	return error;
+ }
+ 
+ static void unix_net_exit(struct net *net)
+From 17b24b3c97498935a2ef9777370b1151dfed3f6f Mon Sep 17 00:00:00 2001
+From: Chas Williams <chas at cmf.nrl.navy.mil>
+Date: Thu, 4 Dec 2008 14:58:13 -0800
+Subject: ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
+
+From: Chas Williams <chas at cmf.nrl.navy.mil>
+
+commit 17b24b3c97498935a2ef9777370b1151dfed3f6f upstream.
+
+As reported by Hugo Dias that it is possible to cause a local denial
+of service attack by calling the svc_listen function twice on the same
+socket and reading /proc/net/atm/*vc
+
+Signed-off-by: Chas Williams <chas at cmf.nrl.navy.mil>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/atm/svc.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/atm/svc.c
++++ b/net/atm/svc.c
+@@ -293,7 +293,10 @@ static int svc_listen(struct socket *soc
+ 		error = -EINVAL;
+ 		goto out;
+ 	}
+-	vcc_insert_socket(sk);
++	if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
++		error = -EADDRINUSE;
++		goto out;
++        }
+ 	set_bit(ATM_VF_WAITING, &vcc->flags);
+ 	prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
+ 	sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
+@@ -307,6 +310,7 @@ static int svc_listen(struct socket *soc
+ 		goto out;
+ 	}
+ 	set_bit(ATM_VF_LISTEN,&vcc->flags);
++	vcc_insert_socket(sk);
+ 	sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
+ 	error = -sk->sk_err;
+ out:
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-small_fixes.patch?r1=1.1.2.13&r2=1.1.2.14&f=u

