[kernel] r7246 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Aug 27 04:34:52 UTC 2006 

Author: dannf
Date: Sun Aug 27 04:34:49 2006
New Revision: 7246

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kfree_skb-race.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* kfree_skb-race.dpatch
  [SECURITY] Fix race between kfree_skb and __skb_unlink
  See CVE-2006-2446

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Aug 27 04:34:49 2006
@@ -49,8 +49,11 @@
   * snmp-nat-mem-corruption-fix.dpatch
     [SECURITY] Fix memory corruption in snmp_trap_decode
     See CVE-2006-2444
+  * kfree_skb-race.dpatch
+    [SECURITY] Fix race between kfree_skb and __skb_unlink
+    See CVE-2006-2446
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 21:52:14 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 22:24:24 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kfree_skb-race.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/kfree_skb-race.dpatch	Sun Aug 27 04:34:49 2006
@@ -0,0 +1,23 @@
+--- linux-2.6.9/include/linux/skbuff.h.orig	2006-05-22 17:25:40.446058000 -0400
++++ linux-2.6.9/include/linux/skbuff.h	2006-05-22 17:29:19.525759000 -0400
+@@ -351,15 +351,11 @@ static inline struct sk_buff *skb_get(st
+  */
+ static inline void kfree_skb(struct sk_buff *skb)
+ {
+-	if (atomic_read(&skb->users) == 1 || atomic_dec_and_test(&skb->users))
+-		__kfree_skb(skb);
+-}
+-
+-/* Use this if you didn't touch the skb state [for fast switching] */
+-static inline void kfree_skb_fast(struct sk_buff *skb)
+-{
+-	if (atomic_read(&skb->users) == 1 || atomic_dec_and_test(&skb->users))
+-		kfree_skbmem(skb);
++	if (likely(atomic_read(&skb->users) == 1))
++		smp_rmb();
++	else if (likely(!atomic_dec_and_test(&skb->users)))
++		return;
++	__kfree_skb(skb);
+ }
+ 
+ /**

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Sun Aug 27 04:34:49 2006
@@ -10,3 +10,4 @@
 + readv-writev-missing-lsm-check.dpatch
 + readv-writev-missing-lsm-check-compat.dpatch
 + snmp-nat-mem-corruption-fix.dpatch
++ kfree_skb-race.dpatch

More information about the Kernel-svn-changes mailing list