[kernel] r7781 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Mon Nov 13 01:59:05 UTC 2006

Author: dannf
Date: Mon Nov 13 02:59:05 2006
New Revision: 7781

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ip6_flowlabel-lockup.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* ip6_flowlabel-lockup.dpatch
  [SECURITY] Fix local DoS attack vector (lockups, oopses) in the
  sequence handling for /proc/net/ip6_flowlabel
  See CVE-2006-5619

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon Nov 13 02:59:05 2006
@@ -16,8 +16,12 @@
     [SECURITY] Avoid dereferencing an already freed skb, preventing a
     potential remote DoS (system crash) vector
     See CVE-2006-4997
+  * ip6_flowlabel-lockup.dpatch
+    [SECURITY] Fix local DoS attack vector (lockups, oopses) in the
+    sequence handling for /proc/net/ip6_flowlabel
+    See CVE-2006-5619
 
- -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 18:42:48 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 18:57:02 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ip6_flowlabel-lockup.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ip6_flowlabel-lockup.dpatch	Mon Nov 13 02:59:05 2006
@@ -0,0 +1,34 @@
+From: James Morris <jmorris at namei.org>
+Date: Mon, 30 Oct 2006 23:08:42 +0000 (-0800)
+Subject: [IPV6]: fix lockup via /proc/net/ip6_flowlabel
+X-Git-Tag: v2.6.19-rc4
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=bcd620757d3a4ae78ef0ca41adb5d9e400ed92b6
+
+[IPV6]: fix lockup via /proc/net/ip6_flowlabel
+
+There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
+after finding a flowlabel, the code will loop forever not finding any
+further flowlabels, first traversing the rest of the hash bucket then just
+looping.
+
+This patch fixes the problem by breaking after the hash bucket has been
+traversed.
+
+Note that this bug can cause lockups and oopses, and is trivially invoked
+by an unpriveleged user.
+
+Signed-off-by: James Morris <jmorris at namei.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -587,6 +587,8 @@ static struct ip6_flowlabel *ip6fl_get_n
+ 	while (!fl) {
+ 		if (++state->bucket <= FL_HASH_MASK)
+ 			fl = fl_ht[state->bucket];
++		else
++			break;
+ 	}
+ 	return fl;
+ }

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	Mon Nov 13 02:59:05 2006
@@ -2,3 +2,4 @@
 + ia64-sparc-cross-region-mappings.dpatch
 + __block_prepare_write-recovery.dpatch
 + atm-clip-freed-skb-deref.dpatch
++ ip6_flowlabel-lockup.dpatch

