rpms/kernel/F-9 linux-2.6-net-atm-CVE-2008-5079.patch, NONE, 1.1 kernel.spec, 1.874, 1.875 linux-2.6.27.7-alsa-driver-fixups.patch, 1.2, 1.3

Tue Dec 9 05:04:11 UTC 2008

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27687

Modified Files:
	kernel.spec linux-2.6.27.7-alsa-driver-fixups.patch 
Added Files:
	linux-2.6-net-atm-CVE-2008-5079.patch 
Log Message:
ATM security fix (CVE-2008-5079)
Update ALSA fixups so the snd-pcsp driver can be built.

linux-2.6-net-atm-CVE-2008-5079.patch:

--- NEW FILE linux-2.6-net-atm-CVE-2008-5079.patch ---
From: Chas Williams <chas at cmf.nrl.navy.mil>
Date: Thu, 4 Dec 2008 22:58:13 +0000 (-0800)
Subject: ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=17b24b3c97498935a2ef9777370b1151dfed3f6f

ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table

As reported by Hugo Dias that it is possible to cause a local denial
of service attack by calling the svc_listen function twice on the same
socket and reading /proc/net/atm/*vc

Signed-off-by: Chas Williams <chas at cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem at davemloft.net>
---

diff --git a/net/atm/svc.c b/net/atm/svc.c
index de1e4f2..8fb54dc 100644
--- a/net/atm/svc.c
+++ b/net/atm/svc.c
@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
 		error = -EINVAL;
 		goto out;
 	}
-	vcc_insert_socket(sk);
+	if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
+		error = -EADDRINUSE;
+		goto out;
+        }
 	set_bit(ATM_VF_WAITING, &vcc->flags);
 	prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
 	sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
 		goto out;
 	}
 	set_bit(ATM_VF_LISTEN,&vcc->flags);
+	vcc_insert_socket(sk);
 	sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
 	error = -sk->sk_err;
 out:


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.874
retrieving revision 1.875
diff -u -r1.874 -r1.875
--- kernel.spec	8 Dec 2008 06:01:27 -0000	1.874
+++ kernel.spec	9 Dec 2008 05:03:41 -0000	1.875
@@ -704,6 +704,9 @@
 # r8169 fixes
 Patch2007: linux-2.6-netdev-r8169-2.6.28.patch
 
+# ATM security fix
+Patch2006: linux-2.6-net-atm-CVE-2008-5079.patch
+
 # atl2 network driver
 Patch2020: linux-2.6-netdev-atl2.patch
 
@@ -1277,6 +1280,9 @@
 
 ApplyPatch linux-2.6-net-tulip-interrupt.patch
 
+# ATM security fix
+ApplyPatch linux-2.6-net-atm-CVE-2008-5079.patch
+
 # Nouveau DRM + drm fixes
 ApplyPatch drm-fedora9-rollup.patch
 ApplyPatch drm-mm-readd-nopfn.patch
@@ -1898,6 +1904,10 @@
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
 
 %changelog
+* Mon Dec 08 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.27.8-62
+- ATM security fix (CVE-2008-5079)
+- Update ALSA fixups so the snd-pcsp driver can be built.
+
 * Mon Dec 08 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.27.8-61
 - Drop check for SWIOTLB in the ath9k driver.
 - Add ath9k patch to fail gracefully when iommu is full.

linux-2.6.27.7-alsa-driver-fixups.patch:

Index: linux-2.6.27.7-alsa-driver-fixups.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/linux-2.6.27.7-alsa-driver-fixups.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- linux-2.6.27.7-alsa-driver-fixups.patch	3 Dec 2008 13:32:03 -0000	1.2
+++ linux-2.6.27.7-alsa-driver-fixups.patch	9 Dec 2008 05:03:41 -0000	1.3
@@ -380,3 +380,100 @@
  int ps3av_audio_mute(int mute)
  {
  	return ps3av_set_audio_mute(mute ? PS3AV_CMD_MUTE_ON
+Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=63ca243b271f5b44e0b1057003cf498b6d0fadf7
+Commit:     63ca243b271f5b44e0b1057003cf498b6d0fadf7
+Parent:     8ff3e8e85fa6c312051134b3953e397feb639f51
+Author:     Arjan van de Ven <arjan at linux.intel.com>
+AuthorDate: Mon Sep 1 14:35:02 2008 -0700
+Committer:  Arjan van de Ven <arjan at linux.intel.com>
+CommitDate: Fri Sep 5 21:35:05 2008 -0700
+
+    hrtimer: add abstraction functions for accessing the "expires" member
+    
+    In order to be able to turn hrtimers into range based, we need to provide
+    accessor functions for getting to the "expires" ktime_t member of the
+    struct hrtimer.
+    
+    This patch adds a set of accessors for this purpose:
+    * hrtimer_set_expires
+    * hrtimer_set_expires_tv64
+    * hrtimer_add_expires
+    * hrtimer_add_expires_ns
+    * hrtimer_get_expires
+    * hrtimer_get_expires_tv64
+    * hrtimer_get_expires_ns
+    * hrtimer_expires_remaining
+    * hrtimer_start_expires
+    
+    No users of these new accessors are added yet; these follow in later patches.
+    Hopefully this patch can even go into 2.6.27-rc so that the conversions will
+    not have a bottleneck in -next
+    
+    Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
+---
+ include/linux/hrtimer.h |   45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 45 insertions(+), 0 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index becd17d..9900e99 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -217,6 +217,45 @@ static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+ 	return timer->base->cpu_base->hres_active;
+ }
+ 
++static inline void hrtimer_set_expires(struct hrtimer *timer, ktime_t time)
++{
++	timer->expires = time;
++}
++static inline void hrtimer_set_expires_tv64(struct hrtimer *timer, s64 tv64)
++{
++	timer->expires.tv64 = tv64;
++}
++
++static inline void hrtimer_add_expires(struct hrtimer *timer, ktime_t time)
++{
++	timer->expires = ktime_add_safe(timer->expires, time);
++}
++
++static inline void hrtimer_add_expires_ns(struct hrtimer *timer, unsigned long ns)
++{
++	timer->expires = ktime_add_ns(timer->expires, ns);
++}
++
++static inline ktime_t hrtimer_get_expires(const struct hrtimer *timer)
++{
++	return timer->expires;
++}
++
++static inline s64 hrtimer_get_expires_tv64(const struct hrtimer *timer)
++{
++	return timer->expires.tv64;
++}
++
++static inline s64 hrtimer_get_expires_ns(const struct hrtimer *timer)
++{
++	return ktime_to_ns(timer->expires);
++}
++
++static inline ktime_t hrtimer_expires_remaining(const struct hrtimer *timer)
++{
++    return ktime_sub(timer->expires, timer->base->get_time());
++}
++
+ /*
+  * The resolution of the clocks. The resolution value is returned in
+  * the clock_getres() system call to give application programmers an
+@@ -287,6 +326,12 @@ extern int hrtimer_start(struct hrtimer *timer, ktime_t tim,
+ extern int hrtimer_cancel(struct hrtimer *timer);
+ extern int hrtimer_try_to_cancel(struct hrtimer *timer);
+ 
++static inline int hrtimer_start_expires(struct hrtimer *timer,
++						enum hrtimer_mode mode)
++{
++	return hrtimer_start(timer, hrtimer_get_expires(timer), mode);
++}
++
+ static inline int hrtimer_restart(struct hrtimer *timer)
+ {
+ 	return hrtimer_start(timer, timer->expires, HRTIMER_MODE_ABS);


