From: Jiri Olsa <jolsa@redhat.com>
Date: Fri, 19 Feb 2010 16:43:19 -0500
Subject: [netlink] connector: delete buggy notification code
Message-id: <1266597799-18454-1-git-send-email-jolsa@redhat.com>
Patchwork-id: 23363
O-Subject: [PATCH RHEL5] BZ#561685 - connector: Delete buggy notification code
Bugzilla: 561685
RH-Acked-by: David S. Miller <davem@redhat.com>
Bugzilla: 561685
CVE-2010-0410 kernel: OOM/crash in drivers/connector [rhel-5.5]
https://bugzilla.redhat.com/show_bug.cgi?id=561685
Description:
Signed-off-by: Jarod Wilson <jarod@redhat.com>
diff --git a/Documentation/connector/cn_test.c b/Documentation/connector/cn_test.c
index 3e73231..bee2c15 100644
--- a/Documentation/connector/cn_test.c
+++ b/Documentation/connector/cn_test.c
@@ -41,6 +41,12 @@ void cn_test_callback(void *data)
msg->seq, msg->ack, msg->len, (char *)msg->data);
}
+/*
+ * Do not remove this function even if no one is using it as
+ * this is an example of how to get notifications about new
+ * connector user registration
+ */
+#if 0
static int cn_test_want_notify(void)
{
struct cn_ctl_msg *ctl;
@@ -117,6 +123,7 @@ nlmsg_failure:
kfree_skb(skb);
return -EINVAL;
}
+#endif
static u32 cn_test_timer_counter;
static void cn_test_timer_func(unsigned long __data)
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index b49bacf..a2ca719 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -34,17 +34,6 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Evgeniy Polyakov <johnpol@2ka.mipt.ru>");
MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
-static u32 cn_idx = CN_IDX_CONNECTOR;
-static u32 cn_val = CN_VAL_CONNECTOR;
-
-module_param(cn_idx, uint, 0);
-module_param(cn_val, uint, 0);
-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
-
-static DEFINE_MUTEX(notify_lock);
-static LIST_HEAD(notify_list);
-
static struct cn_dev cdev;
int cn_already_initialized = 0;
@@ -251,54 +240,6 @@ static void cn_input(struct sock *sk, int len)
}
/*
- * Notification routing.
- *
- * Gets id and checks if there are notification request for it's idx
- * and val. If there are such requests notify the listeners with the
- * given notify event.
- *
- */
-static void cn_notify(struct cb_id *id, u32 notify_event)
-{
- struct cn_ctl_entry *ent;
-
- mutex_lock(¬ify_lock);
- list_for_each_entry(ent, ¬ify_list, notify_entry) {
- int i;
- struct cn_notify_req *req;
- struct cn_ctl_msg *ctl = ent->msg;
- int idx_found, val_found;
-
- idx_found = val_found = 0;
-
- req = (struct cn_notify_req *)ctl->data;
- for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
- if (id->idx >= req->first &&
- id->idx < req->first + req->range) {
- idx_found = 1;
- break;
- }
- }
-
- for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
- if (id->val >= req->first &&
- id->val < req->first + req->range) {
- val_found = 1;
- break;
- }
- }
-
- if (idx_found && val_found) {
- struct cn_msg m = { .ack = notify_event, };
-
- memcpy(&m.id, id, sizeof(m.id));
- cn_netlink_send(&m, ctl->group, GFP_KERNEL);
- }
- }
- mutex_unlock(¬ify_lock);
-}
-
-/*
* Callback add routing - adds callback with given ID and name.
* If there is registered callback with the same ID it will not be added.
*
@@ -316,8 +257,6 @@ int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
if (err)
return err;
- cn_notify(id, 0);
-
return 0;
}
EXPORT_SYMBOL_GPL(cn_add_callback);
@@ -335,120 +274,14 @@ void cn_del_callback(struct cb_id *id)
struct cn_dev *dev = &cdev;
cn_queue_del_callback(dev->cbdev, id);
- cn_notify(id, 1);
}
EXPORT_SYMBOL_GPL(cn_del_callback);
-/*
- * Checks two connector's control messages to be the same.
- * Returns 1 if they are the same or if the first one is corrupted.
- */
-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
-{
- int i;
- struct cn_notify_req *req1, *req2;
-
- if (m1->idx_notify_num != m2->idx_notify_num)
- return 0;
-
- if (m1->val_notify_num != m2->val_notify_num)
- return 0;
-
- if (m1->len != m2->len)
- return 0;
-
- if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
- m1->len)
- return 1;
-
- req1 = (struct cn_notify_req *)m1->data;
- req2 = (struct cn_notify_req *)m2->data;
-
- for (i = 0; i < m1->idx_notify_num; ++i) {
- if (req1->first != req2->first || req1->range != req2->range)
- return 0;
- req1++;
- req2++;
- }
-
- for (i = 0; i < m1->val_notify_num; ++i) {
- if (req1->first != req2->first || req1->range != req2->range)
- return 0;
- req1++;
- req2++;
- }
-
- return 1;
-}
-
-/*
- * Main connector device's callback.
- *
- * Used for notification of a request's processing.
- */
-static void cn_callback(void *data)
-{
- struct cn_msg *msg = data;
- struct cn_ctl_msg *ctl;
- struct cn_ctl_entry *ent;
- u32 size;
-
- if (msg->len < sizeof(*ctl))
- return;
-
- ctl = (struct cn_ctl_msg *)msg->data;
-
- size = (sizeof(*ctl) + ((ctl->idx_notify_num +
- ctl->val_notify_num) *
- sizeof(struct cn_notify_req)));
-
- if (msg->len != size)
- return;
-
- if (ctl->len + sizeof(*ctl) != msg->len)
- return;
-
- /*
- * Remove notification.
- */
- if (ctl->group == 0) {
- struct cn_ctl_entry *n;
-
- mutex_lock(¬ify_lock);
- list_for_each_entry_safe(ent, n, ¬ify_list, notify_entry) {
- if (cn_ctl_msg_equals(ent->msg, ctl)) {
- list_del(&ent->notify_entry);
- kfree(ent);
- }
- }
- mutex_unlock(¬ify_lock);
-
- return;
- }
-
- size += sizeof(*ent);
-
- ent = kzalloc(size, GFP_KERNEL);
- if (!ent)
- return;
-
- ent->msg = (struct cn_ctl_msg *)(ent + 1);
-
- memcpy(ent->msg, ctl, size - sizeof(*ent));
-
- mutex_lock(¬ify_lock);
- list_add(&ent->notify_entry, ¬ify_list);
- mutex_unlock(¬ify_lock);
-}
-
static int __devinit cn_init(void)
{
struct cn_dev *dev = &cdev;
- int err;
dev->input = cn_input;
- dev->id.idx = cn_idx;
- dev->id.val = cn_val;
dev->nls = netlink_kernel_create(NETLINK_CONNECTOR,
CN_NETLINK_USERS + 0xf,
@@ -465,15 +298,6 @@ static int __devinit cn_init(void)
cn_already_initialized = 1;
- err = cn_add_callback(&dev->id, "connector", &cn_callback);
- if (err) {
- cn_already_initialized = 0;
- cn_queue_free_dev(dev->cbdev);
- if (dev->nls->sk_socket)
- sock_release(dev->nls->sk_socket);
- return -EINVAL;
- }
-
return 0;
}
@@ -483,7 +307,6 @@ static void __devexit cn_fini(void)
cn_already_initialized = 0;
- cn_del_callback(&dev->id);
cn_queue_free_dev(dev->cbdev);
if (dev->nls->sk_socket)
sock_release(dev->nls->sk_socket);
diff --git a/include/linux/connector.h b/include/linux/connector.h
index 4c02119..1253483 100644
--- a/include/linux/connector.h
+++ b/include/linux/connector.h
@@ -24,9 +24,6 @@
#include <asm/types.h>
-#define CN_IDX_CONNECTOR 0xffffffff
-#define CN_VAL_CONNECTOR 0xffffffff
-
/*
* Process Events connector unique ids -- used for message routing
*/
@@ -67,30 +64,6 @@ struct cn_msg {
__u8 data[0];
};
-/*
- * Notify structure - requests notification about
- * registering/unregistering idx/val in range [first, first+range].
- */
-struct cn_notify_req {
- __u32 first;
- __u32 range;
-};
-
-/*
- * Main notification control message
- * *_notify_num - number of appropriate cn_notify_req structures after
- * this struct.
- * group - notification receiver's idx.
- * len - total length of the attached data.
- */
-struct cn_ctl_msg {
- __u32 idx_notify_num;
- __u32 val_notify_num;
- __u32 group;
- __u32 len;
- __u8 data[0];
-};
-
#ifdef __KERNEL__
#include <asm/atomic.h>
@@ -143,11 +116,6 @@ struct cn_callback_entry {
struct sock *nls;
};
-struct cn_ctl_entry {
- struct list_head notify_entry;
- struct cn_ctl_msg *msg;
-};
-
struct cn_dev {
struct cb_id id;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
fc11cd6e1c513a17304da94a5390f3cd
>
files
>
2551
