[kernel] r12389 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 17 06:24:29 UTC 2008 

Author: dannf
Date: Mon Nov 17 06:24:28 2008
New Revision: 12389

Log:
Fix oops in SCTP (CVE-2008-4576)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Nov 17 06:24:28 2008
@@ -8,8 +8,9 @@
   * Don't allow splicing to files opened with O_APPEND (CVE-2008-4554)
   * Avoid printk floods when reading corrupted ext[2,3] directories
     (CVE-2008-3528)
+  * Fix oops in SCTP (CVE-2008-4576)
 
- -- dann frazier <dannf at debian.org>  Sun, 16 Nov 2008 23:17:57 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 16 Nov 2008 23:21:38 -0700
 
 linux-2.6.24 (2.6.24-6~etchnhalf.6) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch	Mon Nov 17 06:24:28 2008
@@ -0,0 +1,64 @@
+commit add52379dde2e5300e2d574b172e62c6cf43b3d3
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Thu Sep 18 16:28:27 2008 -0700
+
+    sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
+    
+    If INIT-ACK is received with SupportedExtensions parameter which
+    indicates that the peer does not support AUTH, the packet will be
+    silently ignore, and sctp_process_init() do cleanup all of the
+    transports in the association.
+    When T1-Init timer is expires, OOPS happen while we try to choose
+    a different init transport.
+    
+    The solution is to only clean up the non-active transports, i.e
+    the ones that the peer added.  However, that introduces a problem
+    with sctp_connectx(), because we don't mark the proper state for
+    the transports provided by the user.  So, we'll simply mark
+    user-provided transports as ACTIVE.  That will allow INIT
+    retransmissions to work properly in the sctp_connectx() context
+    and prevent the crash.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/associola.c linux-source-2.6.24/net/sctp/associola.c
+--- linux-source-2.6.24.orig/net/sctp/associola.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/associola.c	2008-11-16 23:19:42.000000000 -0700
+@@ -589,11 +589,12 @@ struct sctp_transport *sctp_assoc_add_pe
+ 	/* Check to see if this is a duplicate. */
+ 	peer = sctp_assoc_lookup_paddr(asoc, addr);
+ 	if (peer) {
++		/* An UNKNOWN state is only set on transports added by
++		 * user in sctp_connectx() call.  Such transports should be
++		 * considered CONFIRMED per RFC 4960, Section 5.4.
++		 */
+ 		if (peer->state == SCTP_UNKNOWN) {
+-			if (peer_state == SCTP_ACTIVE)
+-				peer->state = SCTP_ACTIVE;
+-			if (peer_state == SCTP_UNCONFIRMED)
+-				peer->state = SCTP_UNCONFIRMED;
++			peer->state = SCTP_ACTIVE;
+ 		}
+ 		return peer;
+ 	}
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c linux-source-2.6.24/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_make_chunk.c	2008-11-16 23:19:42.000000000 -0700
+@@ -2252,12 +2252,10 @@ clean_up:
+ 	/* Release the transport structures. */
+ 	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
+ 		transport = list_entry(pos, struct sctp_transport, transports);
+-		list_del_init(pos);
+-		sctp_transport_free(transport);
++		if (transport->state != SCTP_ACTIVE)
++			sctp_assoc_rm_peer(asoc, transport);
+ 	}
+ 
+-	asoc->peer.transport_count = 0;
+-
+ nomem:
+ 	return 0;
+ }

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	Mon Nov 17 06:24:28 2008
@@ -4,3 +4,4 @@
 + bugfix/all/dont-allow-splice-to-files-opened-with-O_APPEND.patch
 + bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
 + bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
++ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch

More information about the Kernel-svn-changes mailing list