[kernel] r11858 - in dists/etch/linux-2.6.24/debian: . patches/bugfix patches/series

Sat Jul 19 20:59:22 UTC 2008

Author: dannf
Date: Sat Jul 19 20:59:21 2008
New Revision: 11858

Log:
Fix potential memory corruption in pppol2tp_recvmsg
(CVE-2008-2750)

Added:
   dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch
Modified:
   dists/etch/linux-2.6.24/debian/changelog
   dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4

Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch/linux-2.6.24/debian/changelog	(original)
+++ dists/etch/linux-2.6.24/debian/changelog	Sat Jul 19 20:59:21 2008
@@ -14,8 +14,10 @@
   * Avoid tripping BUG() in IPsec code when the first fragment
     of an ESP packet does not contain the entire ESP header and IV
     (CVE-2007-6282)
+  * Fix potential memory corruption in pppol2tp_recvmsg
+    (CVE-2008-2750)
 
- -- dann frazier <dannf at debian.org>  Fri, 18 Jul 2008 16:52:15 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 19 Jul 2008 14:07:20 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.3) stable; urgency=low
 

Added: dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/l2tp-pppol2tp_recvmsg-corruption.patch	Sat Jul 19 20:59:21 2008
@@ -0,0 +1,51 @@
+commit 6b6707a50c7598a83820077393f8823ab791abf8
+Author: James Chapman <jchapman at katalix.com>
+Date:   Tue Jun 10 12:35:00 2008 -0700
+
+    l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
+    
+    This patch fixes a potential memory corruption in
+    pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
+    length, memcpy_toiovec() will go into unintialized data on the kernel
+    heap, interpret it as an iovec and start modifying memory.
+    
+    The fix is to change the memcpy_toiovec() call to
+    skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
+    are handled properly. Also check that the caller's buffer is big
+    enough for the data and set the MSG_TRUNC flag if it is not so.
+    
+    Reported-by: Ilja <ilja at netric.org>
+    Signed-off-by: James Chapman <jchapman at katalix.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
+index 70cfdb4..f929882 100644
+--- a/drivers/net/pppol2tp.c
++++ b/drivers/net/pppol2tp.c
+@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	err = 0;
+ 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ 				flags & MSG_DONTWAIT, &err);
+-	if (skb) {
+-		err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
+-				     skb->len);
+-		if (err < 0)
+-			goto do_skb_free;
+-		err = skb->len;
+-	}
+-do_skb_free:
++	if (!skb)
++		goto end;
++
++	if (len > skb->len)
++		len = skb->len;
++	else if (len < skb->len)
++		msg->msg_flags |= MSG_TRUNC;
++
++	err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
++	if (likely(err == 0))
++		err = len;
++
+ 	kfree_skb(skb);
+ end:
+ 	return err;

Modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
==============================================================================
--- dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4	(original)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4	Sat Jul 19 20:59:21 2008
@@ -1,3 +1,4 @@
 + bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
 + bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
 + bugfix/esp-iv-in-linear-part-of-skb.patch
++ bugfix/l2tp-pppol2tp_recvmsg-corruption.patch

