[kernel] r12379 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Nov 11 02:07:48 UTC 2008 

Author: dannf
Date: Tue Nov 11 02:07:45 2008
New Revision: 12379

Log:
* Fix oops in SCTP
   - bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
  See CVE-2008-4576

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/23etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Nov 11 02:07:45 2008
@@ -18,8 +18,11 @@
      - bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
      - bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
     See CVE-2008-3528
+  * Fix oops in SCTP
+     - bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
+    See CVE-2008-4576
 
- -- dann frazier <dannf at debian.org>  Mon, 10 Nov 2008 14:31:39 -0700
+ -- dann frazier <dannf at debian.org>  Mon, 10 Nov 2008 16:42:11 -0700
 
 linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch	Tue Nov 11 02:07:45 2008
@@ -0,0 +1,64 @@
+commit add52379dde2e5300e2d574b172e62c6cf43b3d3
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Thu Sep 18 16:28:27 2008 -0700
+
+    sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
+    
+    If INIT-ACK is received with SupportedExtensions parameter which
+    indicates that the peer does not support AUTH, the packet will be
+    silently ignore, and sctp_process_init() do cleanup all of the
+    transports in the association.
+    When T1-Init timer is expires, OOPS happen while we try to choose
+    a different init transport.
+    
+    The solution is to only clean up the non-active transports, i.e
+    the ones that the peer added.  However, that introduces a problem
+    with sctp_connectx(), because we don't mark the proper state for
+    the transports provided by the user.  So, we'll simply mark
+    user-provided transports as ACTIVE.  That will allow INIT
+    retransmissions to work properly in the sctp_connectx() context
+    and prevent the crash.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/net/sctp/associola.c linux-source-2.6.18/net/sctp/associola.c
+--- linux-source-2.6.18.orig/net/sctp/associola.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/sctp/associola.c	2008-11-10 16:27:20.000000000 -0700
+@@ -546,11 +546,12 @@ struct sctp_transport *sctp_assoc_add_pe
+ 	/* Check to see if this is a duplicate. */
+ 	peer = sctp_assoc_lookup_paddr(asoc, addr);
+ 	if (peer) {
++		/* An UNKNOWN state is only set on transports added by
++		 * user in sctp_connectx() call.  Such transports should be
++		 * considered CONFIRMED per RFC 4960, Section 5.4.
++		 */
+ 		if (peer->state == SCTP_UNKNOWN) {
+-			if (peer_state == SCTP_ACTIVE)
+-				peer->state = SCTP_ACTIVE;
+-			if (peer_state == SCTP_UNCONFIRMED)
+-				peer->state = SCTP_UNCONFIRMED;
++			peer->state = SCTP_ACTIVE;
+ 		}
+ 		return peer;
+ 	}
+diff -urpN linux-source-2.6.18.orig/net/sctp/sm_make_chunk.c linux-source-2.6.18/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.18.orig/net/sctp/sm_make_chunk.c	2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/net/sctp/sm_make_chunk.c	2008-11-10 16:27:20.000000000 -0700
+@@ -1964,12 +1964,10 @@ clean_up:
+ 	/* Release the transport structures. */
+ 	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
+ 		transport = list_entry(pos, struct sctp_transport, transports);
+-		list_del_init(pos);
+-		sctp_transport_free(transport);
++		if (transport->state != SCTP_ACTIVE)
++			sctp_assoc_rm_peer(asoc, transport);
+ 	}
+ 
+-	asoc->peer.transport_count = 0;
+-
+ nomem:
+ 	return 0;
+ }

Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1	Tue Nov 11 02:07:45 2008
@@ -4,3 +4,4 @@
 + bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
 + bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
 + bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
++ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch

More information about the Kernel-svn-changes mailing list