[kernel] r12143 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 27 05:39:01 UTC 2008
Author: dannf
Date: Wed Aug 27 05:39:00 2008
New Revision: 12143
Log:
* Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
* Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch
dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/4
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Wed Aug 27 05:39:00 2008
@@ -93,7 +93,11 @@
- sata_mv: add the Gen IIE flag to the SoC devices.
- sata_mv: don't avoid clearing interrupt status on SoC host adapters
- -- dann frazier <dannf at debian.org> Wed, 20 Aug 2008 16:58:30 -0600
+ [ dann frazier ]
+ * Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
+ * Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)
+
+ -- dann frazier <dannf at debian.org> Tue, 26 Aug 2008 18:19:29 -0600
linux-2.6 (2.6.26-3) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch Wed Aug 27 05:39:00 2008
@@ -0,0 +1,44 @@
+commit 30c2235cbc477d4629983d440cdc4f496fec9246
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Mon Aug 25 15:16:19 2008 -0700
+
+ sctp: add verification checks to SCTP_AUTH_KEY option
+
+ The structure used for SCTP_AUTH_KEY option contains a
+ length that needs to be verfied to prevent buffer overflow
+ conditions. Spoted by Eugene Teo <eteo at redhat.com>.
+
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/auth.c linux-source-2.6.26/net/sctp/auth.c
+--- linux-source-2.6.26.orig/net/sctp/auth.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/auth.c 2008-08-26 17:34:22.000000000 -0600
+@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth
+ {
+ struct sctp_auth_bytes *key;
+
++ /* Verify that we are not going to overflow INT_MAX */
++ if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
++ return NULL;
++
+ /* Allocate the shared key */
+ key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
+ if (!key)
+diff -urpN linux-source-2.6.26.orig/net/sctp/socket.c linux-source-2.6.26/net/sctp/socket.c
+--- linux-source-2.6.26.orig/net/sctp/socket.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/socket.c 2008-08-26 17:34:22.000000000 -0600
+@@ -3045,6 +3045,11 @@ static int sctp_setsockopt_auth_key(stru
+ goto out;
+ }
+
++ if (authkey->sca_keylength > optlen) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
+ if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
+ ret = -EINVAL;
Added: dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch Wed Aug 27 05:39:00 2008
@@ -0,0 +1,246 @@
+commit 5e739d1752aca4e8f3e794d431503bfca3162df4
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Thu Aug 21 03:34:25 2008 -0700
+
+ sctp: fix potential panics in the SCTP-AUTH API.
+
+ All of the SCTP-AUTH socket options could cause a panic
+ if the extension is disabled and the API is envoked.
+
+ Additionally, there were some additional assumptions that
+ certain pointers would always be valid which may not
+ always be the case.
+
+ This patch hardens the API and address all of the crash
+ scenarios.
+
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/endpointola.c linux-source-2.6.26/net/sctp/endpointola.c
+--- linux-source-2.6.26.orig/net/sctp/endpointola.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/endpointola.c 2008-08-26 18:15:18.000000000 -0600
+@@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoi
+
+ /* Initialize the CHUNKS parameter */
+ auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
++ auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t));
+
+ /* If the Add-IP functionality is enabled, we must
+ * authenticate, ASCONF and ASCONF-ACK chunks
+@@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoi
+ if (sctp_addip_enable) {
+ auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+ auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+- auth_chunks->param_hdr.length =
+- htons(sizeof(sctp_paramhdr_t) + 2);
++ auth_chunks->param_hdr.length += htons(2);
+ }
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/socket.c linux-source-2.6.26/net/sctp/socket.c
+--- linux-source-2.6.26.orig/net/sctp/socket.c 2008-08-26 17:34:22.000000000 -0600
++++ linux-source-2.6.26/net/sctp/socket.c 2008-08-26 18:15:18.000000000 -0600
+@@ -2965,6 +2965,9 @@ static int sctp_setsockopt_auth_chunk(st
+ {
+ struct sctp_authchunk val;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (optlen != sizeof(struct sctp_authchunk))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, optlen))
+@@ -2995,6 +2998,9 @@ static int sctp_setsockopt_hmac_ident(st
+ struct sctp_hmacalgo *hmacs;
+ int err;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (optlen < sizeof(struct sctp_hmacalgo))
+ return -EINVAL;
+
+@@ -3033,6 +3039,9 @@ static int sctp_setsockopt_auth_key(stru
+ struct sctp_association *asoc;
+ int ret;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (optlen <= sizeof(struct sctp_authkey))
+ return -EINVAL;
+
+@@ -3075,6 +3084,9 @@ static int sctp_setsockopt_active_key(st
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (optlen != sizeof(struct sctp_authkeyid))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, optlen))
+@@ -3100,6 +3112,9 @@ static int sctp_setsockopt_del_key(struc
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (optlen != sizeof(struct sctp_authkeyid))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, optlen))
+@@ -5058,19 +5073,29 @@ static int sctp_getsockopt_maxburst(stru
+ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
+ char __user *optval, int __user *optlen)
+ {
++ struct sctp_hmacalgo __user *p = (void __user *)optval;
+ struct sctp_hmac_algo_param *hmacs;
+- __u16 param_len;
++ __u16 data_len = 0;
++ u32 num_idents;
++
++ if (!sctp_auth_enable)
++ return -EACCES;
+
+ hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
+- param_len = ntohs(hmacs->param_hdr.length);
++ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);
+
+- if (len < param_len)
++ if (len < sizeof(struct sctp_hmacalgo) + data_len)
+ return -EINVAL;
++
++ len = sizeof(struct sctp_hmacalgo) + data_len;
++ num_idents = data_len / sizeof(u16);
++
+ if (put_user(len, optlen))
+ return -EFAULT;
+- if (copy_to_user(optval, hmacs->hmac_ids, len))
++ if (put_user(num_idents, &p->shmac_num_idents))
++ return -EFAULT;
++ if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
+ return -EFAULT;
+-
+ return 0;
+ }
+
+@@ -5080,6 +5105,9 @@ static int sctp_getsockopt_active_key(st
+ struct sctp_authkeyid val;
+ struct sctp_association *asoc;
+
++ if (!sctp_auth_enable)
++ return -EACCES;
++
+ if (len < sizeof(struct sctp_authkeyid))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
+@@ -5094,6 +5122,12 @@ static int sctp_getsockopt_active_key(st
+ else
+ val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;
+
++ len = sizeof(struct sctp_authkeyid);
++ if (put_user(len, optlen))
++ return -EFAULT;
++ if (copy_to_user(optval, &val, len))
++ return -EFAULT;
++
+ return 0;
+ }
+
+@@ -5104,13 +5138,16 @@ static int sctp_getsockopt_peer_auth_chu
+ struct sctp_authchunks val;
+ struct sctp_association *asoc;
+ struct sctp_chunks_param *ch;
+- u32 num_chunks;
++ u32 num_chunks = 0;
+ char __user *to;
+
+- if (len <= sizeof(struct sctp_authchunks))
++ if (!sctp_auth_enable)
++ return -EACCES;
++
++ if (len < sizeof(struct sctp_authchunks))
+ return -EINVAL;
+
+- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+ return -EFAULT;
+
+ to = p->gauth_chunks;
+@@ -5119,20 +5156,21 @@ static int sctp_getsockopt_peer_auth_chu
+ return -EINVAL;
+
+ ch = asoc->peer.peer_chunks;
++ if (!ch)
++ goto num;
+
+ /* See if the user provided enough room for all the data */
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+ if (len < num_chunks)
+ return -EINVAL;
+
+- len = num_chunks;
+- if (put_user(len, optlen))
++ if (copy_to_user(to, ch->chunks, num_chunks))
+ return -EFAULT;
++num:
++ len = sizeof(struct sctp_authchunks) + num_chunks;
++ if (put_user(len, optlen)) return -EFAULT;
+ if (put_user(num_chunks, &p->gauth_number_of_chunks))
+ return -EFAULT;
+- if (copy_to_user(to, ch->chunks, len))
+- return -EFAULT;
+-
+ return 0;
+ }
+
+@@ -5143,13 +5181,16 @@ static int sctp_getsockopt_local_auth_ch
+ struct sctp_authchunks val;
+ struct sctp_association *asoc;
+ struct sctp_chunks_param *ch;
+- u32 num_chunks;
++ u32 num_chunks = 0;
+ char __user *to;
+
+- if (len <= sizeof(struct sctp_authchunks))
++ if (!sctp_auth_enable)
++ return -EACCES;
++
++ if (len < sizeof(struct sctp_authchunks))
+ return -EINVAL;
+
+- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+ return -EFAULT;
+
+ to = p->gauth_chunks;
+@@ -5162,17 +5203,21 @@ static int sctp_getsockopt_local_auth_ch
+ else
+ ch = sctp_sk(sk)->ep->auth_chunk_list;
+
++ if (!ch)
++ goto num;
++
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+- if (len < num_chunks)
++ if (len < sizeof(struct sctp_authchunks) + num_chunks)
+ return -EINVAL;
+
+- len = num_chunks;
++ if (copy_to_user(to, ch->chunks, num_chunks))
++ return -EFAULT;
++num:
++ len = sizeof(struct sctp_authchunks) + num_chunks;
+ if (put_user(len, optlen))
+ return -EFAULT;
+ if (put_user(num_chunks, &p->gauth_number_of_chunks))
+ return -EFAULT;
+- if (copy_to_user(to, ch->chunks, len))
+- return -EFAULT;
+
+ return 0;
+ }
Modified: dists/sid/linux-2.6/debian/patches/series/4
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/4 (original)
+++ dists/sid/linux-2.6/debian/patches/series/4 Wed Aug 27 05:39:00 2008
@@ -7,3 +7,5 @@
- bugfix/all/mtd-prevent-physmap-from-causing-request_module-runaway-loop-modprobe-net-pf-1.patch
+ bugfix/all/sata_mv-add_gen_iie_flag.patch
+ bugfix/all/sata_mv-clear_irq.patch
++ bugfix/sctp-auth-key-length-check.patch
++ bugfix/sctp-auth-panics.patch
More information about the Kernel-svn-changes
mailing list