[kernel] r6623 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Sat May 20 05:23:47 UTC 2006
Author: dannf
Date: Sat May 20 05:23:42 2006
New Revision: 6623
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log:
* sctp-fragment-recurse.dpatch
[SECURITY] Fix remote DoS vulnerability that can lead to infinite recursion
when a packet containing two or more DATA fragments is received
See CVE-2006-2274
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat May 20 05:23:42 2006
@@ -59,8 +59,12 @@
[SECURITY] Fix local DoS vulnerability that allows local users to panic
a system by requesting a route for a multicast IP
See CVE-2006-1525
+ * sctp-fragment-recurse.dpatch
+ [SECURITY] Fix remote DoS vulnerability that can lead to infinite recursion
+ when a packet containing two or more DATA fragments is received
+ See CVE-2006-2274
- -- dann frazier <dannf at debian.org> Fri, 19 May 2006 19:46:10 -0500
+ -- dann frazier <dannf at debian.org> Sat, 20 May 2006 00:22:09 -0500
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch Sat May 20 05:23:42 2006
@@ -0,0 +1,78 @@
+Fix for CVE-2006-2274, patch from upstream 2.6 git tree, applies to sarge 2.4.27
+and 2.6.8.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 25958c671804a3829d822fc3ccc3eff534b1aaa0 (from 2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c)
+Author: Vladislav Yasevich <vladsilav.yasevich at hp.com>
+Date: Fri May 5 17:03:49 2006 -0700
+
+ [PATCH] SCTP: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
+
+ There is a rare situation that causes lksctp to go into infinite recursion
+ and crash the system. The trigger is a packet that contains at least the
+ first two DATA fragments of a message bundled together. The recursion is
+ triggered when the user data buffer is smaller that the full data message.
+ The problem is that we clone the skb for every fragment in the message.
+ When reassembling the full message, we try to link skbs from the "first
+ fragment" clone using the frag_list. However, since the frag_list is shared
+ between two clones in this rare situation, we end up setting the frag_list
+ pointer of the second fragment to point to itself. This causes
+ sctp_skb_pull() to potentially recurse indefinitely.
+
+ Proposed solution is to make a copy of the skb when attempting to link
+ things using frag_list.
+
+ Signed-off-by: Vladislav Yasevich <vladsilav.yasevich at hp.com>
+ Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+
+
+diff -urpN kernel-source-2.6.8.orig/net/sctp/ulpqueue.c 2.6/net/sctp/ulpqueue.c
+--- kernel-source-2.6.8.orig/net/sctp/ulpqueue.c 2004-08-13 23:38:04.000000000 -0600
++++ 2.6/net/sctp/ulpqueue.c 2006-05-19 22:33:58.000000000 -0600
+@@ -248,6 +248,7 @@ static inline void sctp_ulpq_store_reasm
+ struct sctp_ulpevent *event)
+ {
+ struct sk_buff *pos;
++ struct sk_buff *new = NULL;
+ struct sctp_ulpevent *cevent;
+ __u32 tsn, ctsn;
+
+@@ -310,11 +311,33 @@ static struct sctp_ulpevent *sctp_make_r
+ */
+ if (last)
+ last->next = pos;
+- else
+- skb_shinfo(f_frag)->frag_list = pos;
++ else {
++ if (skb_cloned(f_frag)) {
++ /* This is a cloned skb, we can't just modify
++ * the frag_list. We need a new skb to do that.
++ * Instead of calling skb_unshare(), we'll do it
++ * ourselves since we need to delay the free.
++ */
++ new = skb_copy(f_frag, GFP_ATOMIC);
++ if (!new)
++ return NULL; /* try again later */
++
++ new->sk = f_frag->sk;
++
++ skb_shinfo(new)->frag_list = pos;
++ } else
++ skb_shinfo(f_frag)->frag_list = pos;
++ }
+
+ /* Remove the first fragment from the reassembly queue. */
+ __skb_unlink(f_frag, f_frag->list);
++
++ /* if we did unshare, then free the old skb and re-assign */
++ if (new) {
++ kfree_skb(f_frag);
++ f_frag = new;
++ }
++
+ while (pos) {
+
+ pnext = pos->next;
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Sat May 20 05:23:42 2006
@@ -14,3 +14,4 @@
+ group_complete_signal-BUG_ON.dpatch
+ madvise_remove-restrict.dpatch
+ mcast-ip-route-null-deref.dpatch
++ sctp-fragment-recurse.dpatch
More information about the Kernel-svn-changes
mailing list