[kernel] r11856 - in dists/etch/linux-2.6.24/debian: . patches/bugfix patches/series

Sat Jul 19 19:29:11 UTC 2008

Author: dannf
Date: Sat Jul 19 19:29:09 2008
New Revision: 11856

Log:
Avoid tripping BUG() in IPsec code when the first fragment
of an ESP packet does not contain the entire ESP header and IV
(CVE-2007-6282)

Added:
   dists/etch/linux-2.6.24/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch
Modified:
   dists/etch/linux-2.6.24/debian/changelog
   dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4

Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch/linux-2.6.24/debian/changelog	(original)
+++ dists/etch/linux-2.6.24/debian/changelog	Sat Jul 19 19:29:09 2008
@@ -10,7 +10,12 @@
   * Re-enable the smbfs module, which is still needed with the etch
     userspace.  Closes: #490293.
 
- -- dann frazier <dannf at debian.org>  Tue, 01 Jul 2008 02:15:43 -0600
+  [ dann frazier ]
+  * Avoid tripping BUG() in IPsec code when the first fragment
+    of an ESP packet does not contain the entire ESP header and IV
+    (CVE-2007-6282)
+
+ -- dann frazier <dannf at debian.org>  Fri, 18 Jul 2008 16:52:15 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.3) stable; urgency=low
 

Added: dists/etch/linux-2.6.24/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch	Sat Jul 19 19:29:09 2008
@@ -0,0 +1,44 @@
+commit 920fc941a9617f95ccb283037fe6f8a38d95bb69
+Author: Thomas Graf <tgraf at suug.ch>
+Date:   Thu Mar 27 16:08:03 2008 -0700
+
+    [ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access
+    
+    ESP does not account for the IV size when calling pskb_may_pull() to
+    ensure everything it accesses directly is within the linear part of a
+    potential fragment. This results in a BUG() being triggered when the
+    both the IPv4 and IPv6 ESP stack is fed with an skb where the first
+    fragment ends between the end of the esp header and the end of the IV.
+    
+    This bug was found by Dirk Nehring <dnehring at gmx.net> .
+    
+    Signed-off-by: Thomas Graf <tgraf at suug.ch>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/ipv4/esp4.c linux-source-2.6.24/net/ipv4/esp4.c
+--- linux-source-2.6.24.orig/net/ipv4/esp4.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/ipv4/esp4.c	2008-07-18 16:51:16.000000000 -0600
+@@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *
+ 	int padlen;
+ 	int err;
+ 
+-	if (!pskb_may_pull(skb, sizeof(*esph)))
++	if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead)))
+ 		goto out;
+ 
+ 	if (elen <= 0 || (elen & (blksize-1)))
+diff -urpN linux-source-2.6.24.orig/net/ipv6/esp6.c linux-source-2.6.24/net/ipv6/esp6.c
+--- linux-source-2.6.24.orig/net/ipv6/esp6.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/ipv6/esp6.c	2008-07-18 16:51:16.000000000 -0600
+@@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state 
+ 	int nfrags;
+ 	int ret = 0;
+ 
+-	if (!pskb_may_pull(skb, sizeof(*esph))) {
++	if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead))) {
+ 		ret = -EINVAL;
+ 		goto out;
+ 	}

Modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
==============================================================================
--- dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4	(original)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4	Sat Jul 19 19:29:09 2008
@@ -1,2 +1,3 @@
 + bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
 + bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
++ bugfix/esp-iv-in-linear-part-of-skb.patch

