[kernel] r8531 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue May 1 01:48:32 UTC 2007 

Author: dannf
Date: Tue May  1 01:48:31 2007
New Revision: 8531

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/netlink-infinite-recursion.patch
  [SECURITY] Fix infinite recursion bug in netlink
  See CVE-2007-1861

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue May  1 01:48:31 2007
@@ -8,8 +8,11 @@
     [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
     which allows remote attackers to bypass certain rulesets
     See CVE-2007-1497
+  * bugfix/netlink-infinite-recursion.patch
+    [SECURITY] Fix infinite recursion bug in netlink
+    See CVE-2007-1861
 
- -- dann frazier <dannf at debian.org>  Mon, 30 Apr 2007 17:30:17 -0600
+ -- dann frazier <dannf at debian.org>  Mon, 30 Apr 2007 19:45:38 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch	Tue May  1 01:48:31 2007
@@ -0,0 +1,66 @@
+From: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000)
+Subject: [PATCH] NETLINK: Infinite recursion in netlink.
+X-Git-Tag: v2.6.20.8~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad
+
+[PATCH] NETLINK: Infinite recursion in netlink.
+
+[NETLINK]: Infinite recursion in netlink.
+
+Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
+which resulted in infinite recursion and stack overflow.
+
+The bug is present in all kernel versions since the feature appeared.
+
+The patch also makes some minimal cleanup:
+
+1. Return something consistent (-ENOENT) when fib table is missing
+2. Do not crash when queue is empty (does not happen, but yet)
+3. Put result of lookup
+
+Signed-off-by: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index d47b72a..fa2cb8c 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -772,6 +772,8 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb )
+ 				       .nl_u = { .ip4_u = { .daddr = frn->fl_addr,
+ 							    .tos = frn->fl_tos,
+ 							    .scope = frn->fl_scope } } };
++
++	frn->err = -ENOENT;
+ 	if (tb) {
+ 		local_bh_disable();
+ 
+@@ -783,6 +785,7 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb )
+ 			frn->nh_sel = res.nh_sel;
+ 			frn->type = res.type;
+ 			frn->scope = res.scope;
++			fib_res_put(&res);
+ 		}
+ 		local_bh_enable();
+ 	}
+@@ -797,6 +800,9 @@ static void nl_fib_input(struct sock *sk, int len)
+ 	struct fib_table *tb;
+ 	
+ 	skb = skb_dequeue(&sk->sk_receive_queue);
++	if (skb == NULL)
++		return;
++
+ 	nlh = (struct nlmsghdr *)skb->data;
+ 	if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
+ 	    nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
+@@ -809,7 +815,7 @@ static void nl_fib_input(struct sock *sk, int len)
+ 
+ 	nl_fib_lookup(frn, tb);
+ 	
+-	pid = nlh->nlmsg_pid;           /*pid of sending process */
++	pid = NETLINK_CB(skb).pid;       /* pid of sending process */
+ 	NETLINK_CB(skb).pid = 0;         /* from kernel */
+ 	NETLINK_CB(skb).dst_group = 0;  /* unicast */
+ 	netlink_unicast(sk, skb, pid, MSG_DONTWAIT);

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2	Tue May  1 01:48:31 2007
@@ -1,2 +1,3 @@
 + bugfix/nfnetlink_log-null-deref.patch
 + bugfix/nf_conntrack-set-nfctinfo.patch
++ bugfix/netlink-infinite-recursion.patch

More information about the Kernel-svn-changes mailing list