[kernel] r12143 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Aug 27 05:39:01 UTC 2008 

Author: dannf
Date: Wed Aug 27 05:39:00 2008
New Revision: 12143

Log:
* Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
* Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch
   dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/4

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Wed Aug 27 05:39:00 2008
@@ -93,7 +93,11 @@
     - sata_mv: add the Gen IIE flag to the SoC devices.
     - sata_mv: don't avoid clearing interrupt status on SoC host adapters
 
- -- dann frazier <dannf at debian.org>  Wed, 20 Aug 2008 16:58:30 -0600
+  [ dann frazier ]
+  * Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
+  * Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)
+
+ -- dann frazier <dannf at debian.org>  Tue, 26 Aug 2008 18:19:29 -0600
 
 linux-2.6 (2.6.26-3) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-key-length-check.patch	Wed Aug 27 05:39:00 2008
@@ -0,0 +1,44 @@
+commit 30c2235cbc477d4629983d440cdc4f496fec9246
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Mon Aug 25 15:16:19 2008 -0700
+
+    sctp: add verification checks to SCTP_AUTH_KEY option
+    
+    The structure used for SCTP_AUTH_KEY option contains a
+    length that needs to be verfied to prevent buffer overflow
+    conditions.  Spoted by Eugene Teo <eteo at redhat.com>.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/auth.c linux-source-2.6.26/net/sctp/auth.c
+--- linux-source-2.6.26.orig/net/sctp/auth.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/auth.c	2008-08-26 17:34:22.000000000 -0600
+@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth
+ {
+ 	struct sctp_auth_bytes *key;
+ 
++	/* Verify that we are not going to overflow INT_MAX */
++	if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
++		return NULL;
++
+ 	/* Allocate the shared key */
+ 	key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
+ 	if (!key)
+diff -urpN linux-source-2.6.26.orig/net/sctp/socket.c linux-source-2.6.26/net/sctp/socket.c
+--- linux-source-2.6.26.orig/net/sctp/socket.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/socket.c	2008-08-26 17:34:22.000000000 -0600
+@@ -3045,6 +3045,11 @@ static int sctp_setsockopt_auth_key(stru
+ 		goto out;
+ 	}
+ 
++	if (authkey->sca_keylength > optlen) {
++		ret = -EINVAL;
++		goto out;
++	}
++
+ 	asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
+ 	if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
+ 		ret = -EINVAL;

Added: dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/sctp-auth-panics.patch	Wed Aug 27 05:39:00 2008
@@ -0,0 +1,246 @@
+commit 5e739d1752aca4e8f3e794d431503bfca3162df4
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Thu Aug 21 03:34:25 2008 -0700
+
+    sctp: fix potential panics in the SCTP-AUTH API.
+    
+    All of the SCTP-AUTH socket options could cause a panic
+    if the extension is disabled and the API is envoked.
+    
+    Additionally, there were some additional assumptions that
+    certain pointers would always be valid which may not
+    always be the case.
+    
+    This patch hardens the API and address all of the crash
+    scenarios.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/net/sctp/endpointola.c linux-source-2.6.26/net/sctp/endpointola.c
+--- linux-source-2.6.26.orig/net/sctp/endpointola.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sctp/endpointola.c	2008-08-26 18:15:18.000000000 -0600
+@@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoi
+ 
+ 		/* Initialize the CHUNKS parameter */
+ 		auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
++		auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t));
+ 
+ 		/* If the Add-IP functionality is enabled, we must
+ 		 * authenticate, ASCONF and ASCONF-ACK chunks
+@@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoi
+ 		if (sctp_addip_enable) {
+ 			auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+ 			auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+-			auth_chunks->param_hdr.length =
+-					htons(sizeof(sctp_paramhdr_t) + 2);
++			auth_chunks->param_hdr.length += htons(2);
+ 		}
+ 	}
+ 
+diff -urpN linux-source-2.6.26.orig/net/sctp/socket.c linux-source-2.6.26/net/sctp/socket.c
+--- linux-source-2.6.26.orig/net/sctp/socket.c	2008-08-26 17:34:22.000000000 -0600
++++ linux-source-2.6.26/net/sctp/socket.c	2008-08-26 18:15:18.000000000 -0600
+@@ -2965,6 +2965,9 @@ static int sctp_setsockopt_auth_chunk(st
+ {
+ 	struct sctp_authchunk val;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (optlen != sizeof(struct sctp_authchunk))
+ 		return -EINVAL;
+ 	if (copy_from_user(&val, optval, optlen))
+@@ -2995,6 +2998,9 @@ static int sctp_setsockopt_hmac_ident(st
+ 	struct sctp_hmacalgo *hmacs;
+ 	int err;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (optlen < sizeof(struct sctp_hmacalgo))
+ 		return -EINVAL;
+ 
+@@ -3033,6 +3039,9 @@ static int sctp_setsockopt_auth_key(stru
+ 	struct sctp_association *asoc;
+ 	int ret;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (optlen <= sizeof(struct sctp_authkey))
+ 		return -EINVAL;
+ 
+@@ -3075,6 +3084,9 @@ static int sctp_setsockopt_active_key(st
+ 	struct sctp_authkeyid val;
+ 	struct sctp_association *asoc;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (optlen != sizeof(struct sctp_authkeyid))
+ 		return -EINVAL;
+ 	if (copy_from_user(&val, optval, optlen))
+@@ -3100,6 +3112,9 @@ static int sctp_setsockopt_del_key(struc
+ 	struct sctp_authkeyid val;
+ 	struct sctp_association *asoc;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (optlen != sizeof(struct sctp_authkeyid))
+ 		return -EINVAL;
+ 	if (copy_from_user(&val, optval, optlen))
+@@ -5058,19 +5073,29 @@ static int sctp_getsockopt_maxburst(stru
+ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
+ 				    char __user *optval, int __user *optlen)
+ {
++	struct sctp_hmacalgo  __user *p = (void __user *)optval;
+ 	struct sctp_hmac_algo_param *hmacs;
+-	__u16 param_len;
++	__u16 data_len = 0;
++	u32 num_idents;
++
++	if (!sctp_auth_enable)
++		return -EACCES;
+ 
+ 	hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
+-	param_len = ntohs(hmacs->param_hdr.length);
++	data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);
+ 
+-	if (len < param_len)
++	if (len < sizeof(struct sctp_hmacalgo) + data_len)
+ 		return -EINVAL;
++
++	len = sizeof(struct sctp_hmacalgo) + data_len;
++	num_idents = data_len / sizeof(u16);
++
+ 	if (put_user(len, optlen))
+ 		return -EFAULT;
+-	if (copy_to_user(optval, hmacs->hmac_ids, len))
++	if (put_user(num_idents, &p->shmac_num_idents))
++		return -EFAULT;
++	if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
+ 		return -EFAULT;
+-
+ 	return 0;
+ }
+ 
+@@ -5080,6 +5105,9 @@ static int sctp_getsockopt_active_key(st
+ 	struct sctp_authkeyid val;
+ 	struct sctp_association *asoc;
+ 
++	if (!sctp_auth_enable)
++		return -EACCES;
++
+ 	if (len < sizeof(struct sctp_authkeyid))
+ 		return -EINVAL;
+ 	if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
+@@ -5094,6 +5122,12 @@ static int sctp_getsockopt_active_key(st
+ 	else
+ 		val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;
+ 
++	len = sizeof(struct sctp_authkeyid);
++	if (put_user(len, optlen))
++		return -EFAULT;
++	if (copy_to_user(optval, &val, len))
++		return -EFAULT;
++
+ 	return 0;
+ }
+ 
+@@ -5104,13 +5138,16 @@ static int sctp_getsockopt_peer_auth_chu
+ 	struct sctp_authchunks val;
+ 	struct sctp_association *asoc;
+ 	struct sctp_chunks_param *ch;
+-	u32    num_chunks;
++	u32    num_chunks = 0;
+ 	char __user *to;
+ 
+-	if (len <= sizeof(struct sctp_authchunks))
++	if (!sctp_auth_enable)
++		return -EACCES;
++
++	if (len < sizeof(struct sctp_authchunks))
+ 		return -EINVAL;
+ 
+-	if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
++	if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+ 		return -EFAULT;
+ 
+ 	to = p->gauth_chunks;
+@@ -5119,20 +5156,21 @@ static int sctp_getsockopt_peer_auth_chu
+ 		return -EINVAL;
+ 
+ 	ch = asoc->peer.peer_chunks;
++	if (!ch)
++		goto num;
+ 
+ 	/* See if the user provided enough room for all the data */
+ 	num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+ 	if (len < num_chunks)
+ 		return -EINVAL;
+ 
+-	len = num_chunks;
+-	if (put_user(len, optlen))
++	if (copy_to_user(to, ch->chunks, num_chunks))
+ 		return -EFAULT;
++num:
++	len = sizeof(struct sctp_authchunks) + num_chunks;
++	if (put_user(len, optlen)) return -EFAULT;
+ 	if (put_user(num_chunks, &p->gauth_number_of_chunks))
+ 		return -EFAULT;
+-	if (copy_to_user(to, ch->chunks, len))
+-		return -EFAULT;
+-
+ 	return 0;
+ }
+ 
+@@ -5143,13 +5181,16 @@ static int sctp_getsockopt_local_auth_ch
+ 	struct sctp_authchunks val;
+ 	struct sctp_association *asoc;
+ 	struct sctp_chunks_param *ch;
+-	u32    num_chunks;
++	u32    num_chunks = 0;
+ 	char __user *to;
+ 
+-	if (len <= sizeof(struct sctp_authchunks))
++	if (!sctp_auth_enable)
++		return -EACCES;
++
++	if (len < sizeof(struct sctp_authchunks))
+ 		return -EINVAL;
+ 
+-	if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
++	if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+ 		return -EFAULT;
+ 
+ 	to = p->gauth_chunks;
+@@ -5162,17 +5203,21 @@ static int sctp_getsockopt_local_auth_ch
+ 	else
+ 		ch = sctp_sk(sk)->ep->auth_chunk_list;
+ 
++	if (!ch)
++		goto num;
++
+ 	num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+-	if (len < num_chunks)
++	if (len < sizeof(struct sctp_authchunks) + num_chunks)
+ 		return -EINVAL;
+ 
+-	len = num_chunks;
++	if (copy_to_user(to, ch->chunks, num_chunks))
++		return -EFAULT;
++num:
++	len = sizeof(struct sctp_authchunks) + num_chunks;
+ 	if (put_user(len, optlen))
+ 		return -EFAULT;
+ 	if (put_user(num_chunks, &p->gauth_number_of_chunks))
+ 		return -EFAULT;
+-	if (copy_to_user(to, ch->chunks, len))
+-		return -EFAULT;
+ 
+ 	return 0;
+ }

Modified: dists/sid/linux-2.6/debian/patches/series/4
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/4	(original)
+++ dists/sid/linux-2.6/debian/patches/series/4	Wed Aug 27 05:39:00 2008
@@ -7,3 +7,5 @@
 - bugfix/all/mtd-prevent-physmap-from-causing-request_module-runaway-loop-modprobe-net-pf-1.patch
 + bugfix/all/sata_mv-add_gen_iie_flag.patch
 + bugfix/all/sata_mv-clear_irq.patch
++ bugfix/sctp-auth-key-length-check.patch
++ bugfix/sctp-auth-panics.patch

More information about the Kernel-svn-changes mailing list