[kernel] r7247 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Aug 27 05:41:36 UTC 2006 

Author: dannf
Date: Sun Aug 27 05:41:34 2006
New Revision: 7247

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-priv-elevation.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* sctp-priv-elevation.dpatch
  [SECURITY] Fix SCTP privelege escalation
  See CVE-2006-3745

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Aug 27 05:41:34 2006
@@ -52,8 +52,11 @@
   * kfree_skb-race.dpatch
     [SECURITY] Fix race between kfree_skb and __skb_unlink
     See CVE-2006-2446
+  * sctp-priv-elevation.dpatch
+    [SECURITY] Fix SCTP privelege escalation
+    See CVE-2006-3745
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 22:24:24 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 23:38:34 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-priv-elevation.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-priv-elevation.dpatch	Sun Aug 27 05:41:34 2006
@@ -0,0 +1,177 @@
+From: Sridhar Samudrala <sri at us.ibm.com>
+Date: Tue, 22 Aug 2006 18:50:39 +0000 (-0700)
+Subject: Fix sctp privilege elevation (CVE-2006-3745)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commitdiff;h=96ec9da385cf72c5f775e5f163420ea92e66ded2
+
+Fix sctp privilege elevation (CVE-2006-3745)
+
+sctp_make_abort_user() now takes the msg_len along with the msg
+so that we don't have to recalculate the bytes in iovec.
+It also uses memcpy_fromiovec() so that we don't go beyond the
+length allocated.
+
+It is good to have this fix even if verify_iovec() is fixed to
+return error on overflow.
+
+Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8.orig/include/net/sctp/sctp.h kernel-source-2.6.8/include/net/sctp/sctp.h
+--- kernel-source-2.6.8.orig/include/net/sctp/sctp.h	2006-07-15 02:22:42.000000000 -0600
++++ kernel-source-2.6.8/include/net/sctp/sctp.h	2006-08-26 23:19:32.790804750 -0600
+@@ -394,19 +394,6 @@
+ 	return ((head->next != head) && (head->next == head->prev));
+ }
+ 
+-/* Calculate the size (in bytes) occupied by the data of an iovec.  */
+-static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
+-{
+-	size_t retval = 0;
+-
+-	for (; iovlen > 0; --iovlen) {
+-		retval += iov->iov_len;
+-		iov++;
+-	}
+-
+-	return retval;
+-}
+-
+ /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
+ static inline __s32 sctp_jitter(__u32 rto)
+ {
+diff -urN kernel-source-2.6.8.orig/include/net/sctp/sm.h kernel-source-2.6.8/include/net/sctp/sm.h
+--- kernel-source-2.6.8.orig/include/net/sctp/sm.h	2004-08-13 23:36:57.000000000 -0600
++++ kernel-source-2.6.8/include/net/sctp/sm.h	2006-08-26 23:24:15.732487500 -0600
+@@ -230,8 +230,7 @@
+ 				      const struct sctp_chunk *,
+ 				      __u32 tsn);
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
+-				   const struct sctp_chunk *,
+-				   const struct msghdr *);
++					const struct msghdr *, size_t msg_len);
+ struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *,
+ 				  const struct sctp_transport *,
+ 				  const void *payload,
+diff -urN kernel-source-2.6.8.orig/net/sctp/sm_make_chunk.c kernel-source-2.6.8/net/sctp/sm_make_chunk.c
+--- kernel-source-2.6.8.orig/net/sctp/sm_make_chunk.c	2004-08-13 23:36:17.000000000 -0600
++++ kernel-source-2.6.8/net/sctp/sm_make_chunk.c	2006-08-26 23:19:32.798805250 -0600
+@@ -817,38 +817,26 @@
+ 
+ /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error.  */
+ struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
+-				   const struct sctp_chunk *chunk,
+-				   const struct msghdr *msg)
++					const struct msghdr *msg,
++					size_t paylen)
+ {
+ 	struct sctp_chunk *retval;
+-	void *payload = NULL, *payoff;
+-	size_t paylen = 0;
+-	struct iovec *iov = NULL;
+-	int iovlen = 0;
+-
+-	if (msg) {
+-		iov = msg->msg_iov;
+-		iovlen = msg->msg_iovlen;
+-		paylen = get_user_iov_size(iov, iovlen);
+-	}
++	void *payload = NULL;
++	int err;
+ 
+-	retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen);
++	retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen);
+ 	if (!retval)
+ 		goto err_chunk;
+ 
+ 	if (paylen) {
+ 		/* Put the msg_iov together into payload.  */
+-		payload = kmalloc(paylen, GFP_ATOMIC);
++		payload = kmalloc(paylen, GFP_KERNEL);
+ 		if (!payload)
+ 			goto err_payload;
+-		payoff = payload;
+ 
+-		for (; iovlen > 0; --iovlen) {
+-			if (copy_from_user(payoff, iov->iov_base,iov->iov_len))
+-				goto err_copy;
+-			payoff += iov->iov_len;
+-			iov++;
+-		}
++		err = memcpy_fromiovec(payload, msg->msg_iov, paylen);
++		if (err < 0)
++			goto err_copy;
+ 	}
+ 
+ 	sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen);
+diff -urN kernel-source-2.6.8.orig/net/sctp/sm_statefuns.c kernel-source-2.6.8/net/sctp/sm_statefuns.c
+--- kernel-source-2.6.8.orig/net/sctp/sm_statefuns.c	2006-07-15 02:22:42.000000000 -0600
++++ kernel-source-2.6.8/net/sctp/sm_statefuns.c	2006-08-26 23:19:32.806805750 -0600
+@@ -3569,18 +3569,12 @@
+ 	 * from its upper layer, but retransmits data to the far end
+ 	 * if necessary to fill gaps.
+ 	 */
+-	struct msghdr *msg = arg;
+-	struct sctp_chunk *abort;
++	struct sctp_chunk *abort = arg;
+ 	sctp_disposition_t retval;
+ 
+ 	retval = SCTP_DISPOSITION_CONSUME;
+ 
+-	/* Generate ABORT chunk to send the peer.  */
+-	abort = sctp_make_abort_user(asoc, NULL, msg);
+-	if (!abort)
+-		retval = SCTP_DISPOSITION_NOMEM;
+-	else
+-		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ 
+ 	/* Even if we can't send the ABORT due to low memory delete the
+ 	 * TCB.  This is a departure from our typical NOMEM handling.
+@@ -3702,8 +3696,7 @@
+ 	void *arg,
+ 	sctp_cmd_seq_t *commands)
+ {
+-	struct msghdr *msg = arg;
+-	struct sctp_chunk *abort;
++	struct sctp_chunk *abort = arg;
+ 	sctp_disposition_t retval;
+ 
+ 	/* Stop T1-init timer */
+@@ -3711,12 +3704,7 @@
+ 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
+ 	retval = SCTP_DISPOSITION_CONSUME;
+ 
+-	/* Generate ABORT chunk to send the peer */
+-	abort = sctp_make_abort_user(asoc, NULL, msg);
+-	if (!abort)
+-		retval = SCTP_DISPOSITION_NOMEM;
+-	else
+-		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+ 
+ 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ 			SCTP_STATE(SCTP_STATE_CLOSED));
+diff -urN kernel-source-2.6.8.orig/net/sctp/socket.c kernel-source-2.6.8/net/sctp/socket.c
+--- kernel-source-2.6.8.orig/net/sctp/socket.c	2006-07-15 02:22:40.000000000 -0600
++++ kernel-source-2.6.8/net/sctp/socket.c	2006-08-26 23:23:07.272209000 -0600
+@@ -1210,8 +1210,16 @@
+ 			goto out_unlock;
+ 		}
+ 		if (sinfo_flags & MSG_ABORT) {
++			struct sctp_chunk *chunk;
++
++			chunk = sctp_make_abort_user(asoc, msg, msg_len);
++			if (!chunk) {
++				err = -ENOMEM;
++				goto out_unlock;
++			}
++
+ 			SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc);
+-			sctp_primitive_ABORT(asoc, msg);
++			sctp_primitive_ABORT(asoc, chunk);
+ 			err = 0;
+ 			goto out_unlock;
+ 		}

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Sun Aug 27 05:41:34 2006
@@ -11,3 +11,4 @@
 + readv-writev-missing-lsm-check-compat.dpatch
 + snmp-nat-mem-corruption-fix.dpatch
 + kfree_skb-race.dpatch
++ sctp-priv-elevation.dpatch

More information about the Kernel-svn-changes mailing list