[stable] Security fixes for 2.6.32.x [4/4]

[Moritz Muehlenhoff]

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1768

Two patches attached (order matters)

Cheers,
        Moritz

commit e924960dacdf85d118a98c7262edf2f99c3015cf
Author: Alexey Dobriyan <adobri...@gmail.com>
Date:   Mon Jan 25 10:28:21 2010 +0000

    netns xfrm: fixup xfrm6_tunnel error propagation
    
    Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
    Signed-off-by: David S. Miller <da...@davemloft.net>

diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 438831d..23fb100 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -353,13 +353,19 @@ static struct xfrm6_tunnel xfrm46_tunnel_handler = {
 
 static int __init xfrm6_tunnel_init(void)
 {
-	if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
+	int rv;
+
+	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
+	if (rv < 0)
 		goto err;
-	if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
+	rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
+	if (rv < 0)
 		goto unreg;
-	if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
+	rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
+	if (rv < 0)
 		goto dereg6;
-	if (xfrm6_tunnel_spi_init() < 0)
+	rv = xfrm6_tunnel_spi_init();
+	if (rv < 0)
 		goto dereg46;
 	return 0;
 
@@ -370,7 +376,7 @@ dereg6:
 unreg:
 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
 err:
-	return -EAGAIN;
+	return rv;
 }
 
 static void __exit xfrm6_tunnel_fini(void)

commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978
Author: Alexey Dobriyan <adobri...@gmail.com>
Date:   Tue Feb 16 09:05:04 2010 +0000

    tunnels: fix netns vs proto registration ordering
    
    Same stuff as in ip_gre patch: receive hook can be called before netns
    setup is done, oopsing in net_generic().
    
    Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
    Signed-off-by: David S. Miller <da...@davemloft.net>
    [dannf: backported to Debian's 2.6.26]

diff -urpN linux-source-2.6.26.orig/net/ipv4/ipip.c linux-source-2.6.26/net/ipv4/ipip.c
--- linux-source-2.6.26.orig/net/ipv4/ipip.c	2008-07-13 15:51:29.000000000 -0600
+++ linux-source-2.6.26/net/ipv4/ipip.c	2011-06-09 20:08:37.464943595 -0600
@@ -842,15 +842,14 @@ static int __init ipip_init(void)
 
 	printk(banner);
 
-	if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
+	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
+	if (err < 0)
+		return err;
+	err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
+	if (err < 0) {
+		unregister_pernet_device(&ipip_net_ops);
 		printk(KERN_INFO "ipip init: can't register tunnel\n");
-		return -EAGAIN;
 	}
-
-	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
-	if (err)
-		xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
-
 	return err;
 }
 
diff -urpN linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.26/net/ipv6/ip6_tunnel.c
--- linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c	2008-07-13 15:51:29.000000000 -0600
+++ linux-source-2.6.26/net/ipv6/ip6_tunnel.c	2011-06-09 20:13:03.276239292 -0600
@@ -1489,27 +1489,29 @@ static int __init ip6_tunnel_init(void)
 {
 	int  err;
 
-	if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) {
+	err = register_pernet_device(&ip6_tnl_net_ops);
+	if (err < 0)
+		goto out_pernet;
+
+	err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET);
+	if (err < 0) {
 		printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n");
-		err = -EAGAIN;
-		goto out;
+		goto out_ip4ip6;
 	}
 
-	if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) {
+	err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6);
+	if (err < 0) {
 		printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n");
-		err = -EAGAIN;
-		goto unreg_ip4ip6;
+		goto out_ip6ip6;
 	}
 
-	err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
-	if (err < 0)
-		goto err_pernet;
 	return 0;
-err_pernet:
-	xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6);
-unreg_ip4ip6:
+
+out_ip6ip6:
 	xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
-out:
+out_ip4ip6:
+	unregister_pernet_device(&ip6_tnl_net_ops);
+out_pernet:
 	return err;
 }
 
diff -urpN linux-source-2.6.26.orig/net/ipv6/sit.c linux-source-2.6.26/net/ipv6/sit.c
--- linux-source-2.6.26.orig/net/ipv6/sit.c	2008-07-13 15:51:29.000000000 -0600
+++ linux-source-2.6.26/net/ipv6/sit.c	2011-06-09 20:09:47.285806826 -0600
@@ -1082,15 +1082,14 @@ static int __init sit_init(void)
 
 	printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n");
 
-	if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) {
-		printk(KERN_INFO "sit init: Can't add protocol\n");
-		return -EAGAIN;
-	}
-
 	err = register_pernet_gen_device(&sit_net_id, &sit_net_ops);
 	if (err < 0)
-		xfrm4_tunnel_deregister(&sit_handler, AF_INET6);
-
+		return err;
+	err = xfrm4_tunnel_register(&sit_handler, AF_INET6);
+	if (err < 0) {
+		unregister_pernet_device(&sit_net_ops);
+		printk(KERN_INFO "sit init: Can't add protocol\n");
+	}
 	return err;
 }
 
diff -urpN linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c
--- linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c	2011-06-09 21:11:53.125828225 -0600
+++ linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c	2011-06-09 21:20:18.328528733 -0600
@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void
 {
 	int rv;
 
-	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
+	rv = xfrm6_tunnel_spi_init();
 	if (rv < 0)
 		goto err;
+	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
+	if (rv < 0)
+		goto out_type;
 	rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
 	if (rv < 0)
-		goto unreg;
+		goto out_xfrm6;
 	rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
 	if (rv < 0)
-		goto dereg6;
-	rv = xfrm6_tunnel_spi_init();
-	if (rv < 0)
-		goto dereg46;
+		goto out_xfrm46;
 	return 0;
 
-dereg46:
-	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
-dereg6:
+out_xfrm46:
 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
-unreg:
+out_xfrm6:
 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+out_type:
+	xfrm6_tunnel_spi_fini();
 err:
 	return rv;
 }
 
 static void __exit xfrm6_tunnel_fini(void)
 {
-	xfrm6_tunnel_spi_fini();
 	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+	xfrm6_tunnel_spi_fini();
 }
 
 module_init(xfrm6_tunnel_init);

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable