[Debian] Re: lenny updates (netfilter)
Kir Kolyshkin
kir at openvz.org
Mon Mar 16 07:13:24 EDT 2009
Ola Lundqvist wrote:
> Hi Kir
>
> Thanks for the list. I have now made some work to apply this.
> Below are some comments.
>
> On Tue, Mar 10, 2009 at 02:00:39AM +0300, Kir Kolyshkin wrote:
>
>> Kir Kolyshkin wrote:
>>
>>> I am currently checking all the ~80 patches that are not in openvz
>>> lenny kernel. Looks like most are really needed. Let me suggest some
>>> in a few emails I will send as a reply to this one.
>>>
>> Here is a set of netfilter patches, quite a few. Some are very critical
>> (read security-related) since they fix various container/host isolation
>> issues, others are to prevent kernel oopses...
>>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=8562975430153848dd817a050133b53adda96910
>> nf: fix use after free
>> Fix use after free error, found by internal testing. Not an ABI breaker.
>> Attached as 0010*
>>
>
> Already in the debian openvz patch.
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=fa7ac0b2423dc741cd7016565545abb8e36c4af4
>> nf: fix call to kmem_cache_destroy from VEs
>> Found by internal testing. Not an ABI breaker.
>> Attached as 0011*
>>
>
> And this one as well.
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=17b09e1de42db77743ea9ae3dfd3a910ac57ee71
>> conntrack: prevent double allocate/free of protos
>> Found by internal testing. Not an ABI breaker.
>> Attached as 0022*
>>
>
> The double alloc should not be too much of a problem (or?), but the double free, I assume, can result
> in real problems, right?
>
Right. Tables are leaked.
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=7d3f10fc5d8e268f7572cfdd2287c049bce3af7c
>> conntrack: prevent call register_pernet_subsys() from VE context
>> Found by internal audit. Not an ABI breaker.
>> Attached as 0023*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=482dd20be37f61b2f94e6b3f3de1c1b9b4f9e6f1
>> conntrack: prevent call nf_register_hooks() from VE context
>> Found by internal audit. Not an ABI breaker.
>> Attached as 0024*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=5fff3eb60f78acaadcae8562de5d3e6504f4d4f9
>> conntrack: adjust context during freeing
>> Found by internal audit. Not an ABI breaker.
>> Attached as 0029*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=3cb8bc3781889ade74c02840b2eb8ddafb6d39c5
>> netfilter: NAT: assign nf_nat_seq_adjust_hook from VE0 context only
>> Found by internal audit. Not an ABI breaker.
>> Attached as 0033*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=490910232ebe61f65e5e5c03b7286f11291b6092
>> netfilter: call nf_register_hooks from VE0 context only
>> Found by internal audit. Not an ABI breaker.
>> Attached as 0034*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=1acba8533b788e95c52f827d06d9629d672c80fc
>> netfilter: Fix NULL dereference in nf_nat_setup_info.
>> OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker.
>> Attached as 0047*
>>
>
> Security issue!
>
>
>> http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=b405aed753ac48a46e66cccfd0a37006fd11feb8
>> netfilter: Add check to the nat hooks
>> OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker.
>> Attached as 0048*
>>
>
> Is it this part that you are worried about for the ABI breakage?
>
> /* After packet filtering, change source */
> {
> - .hook = nf_nat_fn,
> + .hook = nf_nat_local_in,
> .owner = THIS_MODULE,
> .pf = PF_INET,
> .hooknum = NF_INET_LOCAL_IN,
>
I'm not sure why I wrote that. It doesn't look like an ABI breaker.
More information about the Debian
mailing list