[kernel] r6623 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sat May 20 05:23:47 UTC 2006 

Author: dannf
Date: Sat May 20 05:23:42 2006
New Revision: 6623

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* sctp-fragment-recurse.dpatch
  [SECURITY] Fix remote DoS vulnerability that can lead to infinite recursion
  when a packet containing two or more DATA fragments is received
  See CVE-2006-2274

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat May 20 05:23:42 2006
@@ -59,8 +59,12 @@
     [SECURITY] Fix local DoS vulnerability that allows local users to panic
     a system by requesting a route for a multicast IP
     See CVE-2006-1525
+  * sctp-fragment-recurse.dpatch
+    [SECURITY] Fix remote DoS vulnerability that can lead to infinite recursion
+    when a packet containing two or more DATA fragments is received
+    See CVE-2006-2274
 
- -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 19:46:10 -0500
+ -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 00:22:09 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-fragment-recurse.dpatch	Sat May 20 05:23:42 2006
@@ -0,0 +1,78 @@
+Fix for CVE-2006-2274, patch from upstream 2.6 git tree, applies to sarge 2.4.27
+and 2.6.8. 
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 25958c671804a3829d822fc3ccc3eff534b1aaa0 (from 2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c)
+Author: Vladislav Yasevich <vladsilav.yasevich at hp.com>
+Date:   Fri May 5 17:03:49 2006 -0700
+
+    [PATCH] SCTP: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
+    
+    There is a rare situation that causes lksctp to go into infinite recursion
+    and crash the system.  The trigger is a packet that contains at least the
+    first two DATA fragments of a message bundled together. The recursion is
+    triggered when the user data buffer is smaller that the full data message.
+    The problem is that we clone the skb for every fragment in the message.
+    When reassembling the full message, we try to link skbs from the "first
+    fragment" clone using the frag_list. However, since the frag_list is shared
+    between two clones in this rare situation, we end up setting the frag_list
+    pointer of the second fragment to point to itself.  This causes
+    sctp_skb_pull() to potentially recurse indefinitely.
+    
+    Proposed solution is to make a copy of the skb when attempting to link
+    things using frag_list.
+    
+    Signed-off-by: Vladislav Yasevich <vladsilav.yasevich at hp.com>
+    Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+
+
+diff -urpN kernel-source-2.6.8.orig/net/sctp/ulpqueue.c 2.6/net/sctp/ulpqueue.c
+--- kernel-source-2.6.8.orig/net/sctp/ulpqueue.c	2004-08-13 23:38:04.000000000 -0600
++++ 2.6/net/sctp/ulpqueue.c	2006-05-19 22:33:58.000000000 -0600
+@@ -248,6 +248,7 @@ static inline void sctp_ulpq_store_reasm
+ 					 struct sctp_ulpevent *event)
+ {
+ 	struct sk_buff *pos;
++	struct sk_buff *new = NULL;
+ 	struct sctp_ulpevent *cevent;
+ 	__u32 tsn, ctsn;
+ 
+@@ -310,11 +311,33 @@ static struct sctp_ulpevent *sctp_make_r
+ 	 */
+ 	if (last)
+ 		last->next = pos;
+-	else
+-		skb_shinfo(f_frag)->frag_list = pos;
++	else {
++		if (skb_cloned(f_frag)) {
++			/* This is a cloned skb, we can't just modify
++			 * the frag_list.  We need a new skb to do that.
++			 * Instead of calling skb_unshare(), we'll do it
++			 * ourselves since we need to delay the free.
++			 */
++			new = skb_copy(f_frag, GFP_ATOMIC);
++			if (!new)
++				return NULL;	/* try again later */
++
++			new->sk = f_frag->sk;
++
++			skb_shinfo(new)->frag_list = pos;
++		} else
++			skb_shinfo(f_frag)->frag_list = pos;
++	}
+ 
+ 	/* Remove the first fragment from the reassembly queue.  */
+ 	__skb_unlink(f_frag, f_frag->list);
++
++	/* if we did unshare, then free the old skb and re-assign */
++	if (new) {
++		kfree_skb(f_frag);
++		f_frag = new;
++	}
++
+ 	while (pos) {
+ 
+ 		pnext = pos->next;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Sat May 20 05:23:42 2006
@@ -14,3 +14,4 @@
 + group_complete_signal-BUG_ON.dpatch
 + madvise_remove-restrict.dpatch
 + mcast-ip-route-null-deref.dpatch
++ sctp-fragment-recurse.dpatch

More information about the Kernel-svn-changes mailing list