[kernel] r12389 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Nov 17 06:24:29 UTC 2008
Author: dannf
Date: Mon Nov 17 06:24:28 2008
New Revision: 12389
Log:
Fix oops in SCTP (CVE-2008-4576)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog (original)
+++ dists/etch-security/linux-2.6.24/debian/changelog Mon Nov 17 06:24:28 2008
@@ -8,8 +8,9 @@
* Don't allow splicing to files opened with O_APPEND (CVE-2008-4554)
* Avoid printk floods when reading corrupted ext[2,3] directories
(CVE-2008-3528)
+ * Fix oops in SCTP (CVE-2008-4576)
- -- dann frazier <dannf at debian.org> Sun, 16 Nov 2008 23:17:57 -0700
+ -- dann frazier <dannf at debian.org> Sun, 16 Nov 2008 23:21:38 -0700
linux-2.6.24 (2.6.24-6~etchnhalf.6) stable-security; urgency=high
Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch Mon Nov 17 06:24:28 2008
@@ -0,0 +1,64 @@
+commit add52379dde2e5300e2d574b172e62c6cf43b3d3
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Thu Sep 18 16:28:27 2008 -0700
+
+ sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
+
+ If INIT-ACK is received with SupportedExtensions parameter which
+ indicates that the peer does not support AUTH, the packet will be
+ silently ignore, and sctp_process_init() do cleanup all of the
+ transports in the association.
+ When T1-Init timer is expires, OOPS happen while we try to choose
+ a different init transport.
+
+ The solution is to only clean up the non-active transports, i.e
+ the ones that the peer added. However, that introduces a problem
+ with sctp_connectx(), because we don't mark the proper state for
+ the transports provided by the user. So, we'll simply mark
+ user-provided transports as ACTIVE. That will allow INIT
+ retransmissions to work properly in the sctp_connectx() context
+ and prevent the crash.
+
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/associola.c linux-source-2.6.24/net/sctp/associola.c
+--- linux-source-2.6.24.orig/net/sctp/associola.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/associola.c 2008-11-16 23:19:42.000000000 -0700
+@@ -589,11 +589,12 @@ struct sctp_transport *sctp_assoc_add_pe
+ /* Check to see if this is a duplicate. */
+ peer = sctp_assoc_lookup_paddr(asoc, addr);
+ if (peer) {
++ /* An UNKNOWN state is only set on transports added by
++ * user in sctp_connectx() call. Such transports should be
++ * considered CONFIRMED per RFC 4960, Section 5.4.
++ */
+ if (peer->state == SCTP_UNKNOWN) {
+- if (peer_state == SCTP_ACTIVE)
+- peer->state = SCTP_ACTIVE;
+- if (peer_state == SCTP_UNCONFIRMED)
+- peer->state = SCTP_UNCONFIRMED;
++ peer->state = SCTP_ACTIVE;
+ }
+ return peer;
+ }
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c linux-source-2.6.24/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_make_chunk.c 2008-11-16 23:19:42.000000000 -0700
+@@ -2252,12 +2252,10 @@ clean_up:
+ /* Release the transport structures. */
+ list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
+ transport = list_entry(pos, struct sctp_transport, transports);
+- list_del_init(pos);
+- sctp_transport_free(transport);
++ if (transport->state != SCTP_ACTIVE)
++ sctp_assoc_rm_peer(asoc, transport);
+ }
+
+- asoc->peer.transport_count = 0;
+-
+ nomem:
+ return 0;
+ }
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7 (original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7 Mon Nov 17 06:24:28 2008
@@ -4,3 +4,4 @@
+ bugfix/all/dont-allow-splice-to-files-opened-with-O_APPEND.patch
+ bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
++ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
More information about the Kernel-svn-changes
mailing list