[kernel] r8413 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Sat Mar 31 22:58:00 UTC 2007

Author: dannf
Date: Sat Mar 31 22:58:00 2007
New Revision: 8413

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* ipv6_fl_socklist-no-share.dpatch
  [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
  ipv6_fl_socklist between the listening socket and the socket created
  for connection.
  See CVE-2007-1592

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat Mar 31 22:58:00 2007
@@ -52,8 +52,13 @@
     if no root inode is found. On an SELinux-enabled system, this can
     be used to trigger a local DoS. Debian does not enable SELinux by
     default.
+  * ipv6_fl_socklist-no-share.dpatch
+    [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+    ipv6_fl_socklist between the listening socket and the socket created
+    for connection.
+    See CVE-2007-1592
 
- -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 16:26:49 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 16:55:45 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch	Sat Mar 31 22:58:00 2007
@@ -0,0 +1,32 @@
+From: Masayuki Nakagawa <nakagawa.msy at ncos.nec.co.jp>
+Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700)
+Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.6.21-rc5~72^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299
+
+[IPV6]: ipv6_fl_socklist is inadvertently shared.
+
+The ipv6_fl_socklist from listening socket is inadvertently shared
+with new socket created for connection.  This leads to a variety of
+interesting, but fatal, bugs. For example, removing one of the
+sockets may lead to the other socket's encountering a page fault
+when the now freed list is referenced.
+
+The fix is to not share the flow label list with the new socket.
+
+Signed-off-by: Masayuki Nakagawa <nakagawa.msy at ncos.nec.co.jp>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f57a9ba..92f9992 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ 	   First: no IPv4 options.
+ 	 */
+ 	newinet->opt = NULL;
++	newnp->ipv6_fl_list = NULL;
+ 
+ 	/* Clone RX bits */
+ 	newnp->rxopt.all = np->rxopt.all;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Sat Mar 31 22:58:00 2007
@@ -10,3 +10,4 @@
 + unmap_hugepage_area-check-null-pte.dpatch
 + ext3-fsfuzz.dpatch
 + hfs-no-root-inode.dpatch
++ ipv6_fl_socklist-no-share.dpatch

