[kernel] r7245 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

[Dann Frazier]

Author: dannf
Date: Sun Aug 27 04:34:03 2006
New Revision: 7245

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/227_kfree_skb.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4

Log:
* 227_kfree_skb.diff
  [SECURITY] Fix race between kfree_skb and __skb_unlink
  See CVE-2006-2446

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sun Aug 27 04:34:03 2006
@@ -22,8 +22,11 @@
   * 226_snmp-nat-mem-corruption-fix.diff
     [SECURITY] Fix memory corruption in snmp_trap_decode
     See CVE-2006-2444
+  * 227_kfree_skb.diff
+    [SECURITY] Fix race between kfree_skb and __skb_unlink
+    See CVE-2006-2446
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 22:01:32 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 22:32:38 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/227_kfree_skb.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/227_kfree_skb.diff	Sun Aug 27 04:34:03 2006
@@ -0,0 +1,24 @@
+diff -urN kernel-source-2.4.27.orig/include/linux/skbuff.h kernel-source-2.4.27/include/linux/skbuff.h
+--- kernel-source-2.4.27.orig/include/linux/skbuff.h	2006-05-29 10:05:31.000000000 -0600
++++ kernel-source-2.4.27/include/linux/skbuff.h	2006-08-26 22:28:52.636807000 -0600
+@@ -294,15 +294,11 @@
+  
+ static inline void kfree_skb(struct sk_buff *skb)
+ {
+-	if (atomic_read(&skb->users) == 1 || atomic_dec_and_test(&skb->users))
+-		__kfree_skb(skb);
+-}
+-
+-/* Use this if you didn't touch the skb state [for fast switching] */
+-static inline void kfree_skb_fast(struct sk_buff *skb)
+-{
+-	if (atomic_read(&skb->users) == 1 || atomic_dec_and_test(&skb->users))
+-		kfree_skbmem(skb);	
++	if (likely(atomic_read(&skb->users) == 1))
++		smp_rmb();
++	else if (likely(!atomic_dec_and_test(&skb->users)))
++		return;
++	__kfree_skb(skb);
+ }
+ 
+ /**

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	Sun Aug 27 04:34:03 2006
@@ -2,3 +2,4 @@
 + 224_cdrom-bad-cgc.buflen-assign.diff
 + 225_sg-no-mmap-VM_IO.diff
 + 226_snmp-nat-mem-corruption-fix.diff
++ 227_kfree_skb.diff