[kernel] r12390 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Nov 17 06:35:06 UTC 2008
Author: dannf
Date: Mon Nov 17 06:35:04 2008
New Revision: 12390
Log:
sctp: Fix possible kernel panic in sctp_sf_abort_violation (CVE-2008-4618)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog (original)
+++ dists/etch-security/linux-2.6.24/debian/changelog Mon Nov 17 06:35:04 2008
@@ -9,8 +9,9 @@
* Avoid printk floods when reading corrupted ext[2,3] directories
(CVE-2008-3528)
* Fix oops in SCTP (CVE-2008-4576)
+ * sctp: Fix possible kernel panic in sctp_sf_abort_violation (CVE-2008-4618)
- -- dann frazier <dannf at debian.org> Sun, 16 Nov 2008 23:21:38 -0700
+ -- dann frazier <dannf at debian.org> Sun, 16 Nov 2008 23:32:14 -0700
linux-2.6.24 (2.6.24-6~etchnhalf.6) stable-security; urgency=high
Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch Mon Nov 17 06:35:04 2008
@@ -0,0 +1,186 @@
+commit ba0166708ef4da7eeb61dd92bbba4d5a749d6561
+Author: Wei Yongjun <yjwei at cn.fujitsu.com>
+Date: Tue Sep 30 05:32:24 2008 -0700
+
+ sctp: Fix kernel panic while process protocol violation parameter
+
+ Since call to function sctp_sf_abort_violation() need paramter 'arg' with
+ 'struct sctp_chunk' type, it will read the chunk type and chunk length from
+ the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
+ always with 'struct sctp_paramhdr' type's parameter, it will be passed to
+ sctp_sf_abort_violation(). This may cause kernel panic.
+
+ sctp_sf_violation_paramlen()
+ |-- sctp_sf_abort_violation()
+ |-- sctp_make_abort_violation()
+
+ This patch fixed this problem. This patch also fix two place which called
+ sctp_sf_violation_paramlen() with wrong paramter type.
+
+ Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/include/net/sctp/sm.h linux-source-2.6.24/include/net/sctp/sm.h
+--- linux-source-2.6.24.orig/include/net/sctp/sm.h 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/include/net/sctp/sm.h 2008-11-16 23:25:24.000000000 -0700
+@@ -227,6 +227,9 @@ struct sctp_chunk *sctp_make_abort_viola
+ const struct sctp_chunk *,
+ const __u8 *,
+ const size_t );
++struct sctp_chunk *sctp_make_violation_paramlen(const struct sctp_association *,
++ const struct sctp_chunk *,
++ struct sctp_paramhdr *);
+ struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *,
+ const struct sctp_transport *,
+ const void *payload,
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c linux-source-2.6.24/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c 2008-11-16 23:23:39.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_make_chunk.c 2008-11-16 23:26:48.000000000 -0700
+@@ -1012,6 +1012,29 @@ end:
+ return retval;
+ }
+
++struct sctp_chunk *sctp_make_violation_paramlen(
++ const struct sctp_association *asoc,
++ const struct sctp_chunk *chunk,
++ struct sctp_paramhdr *param)
++{
++ struct sctp_chunk *retval;
++ static const char error[] = "The following parameter had invalid length:";
++ size_t payload_len = sizeof(error) + sizeof(sctp_errhdr_t) +
++ sizeof(sctp_paramhdr_t);
++
++ retval = sctp_make_abort(asoc, chunk, payload_len);
++ if (!retval)
++ goto nodata;
++
++ sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION,
++ sizeof(error) + sizeof(sctp_paramhdr_t));
++ sctp_addto_chunk(retval, sizeof(error), error);
++ sctp_addto_param(retval, sizeof(sctp_paramhdr_t), param);
++
++nodata:
++ return retval;
++}
++
+ /* Make a HEARTBEAT chunk. */
+ struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
+ const struct sctp_transport *transport,
+@@ -1782,11 +1805,6 @@ static int sctp_process_inv_paramlength(
+ const struct sctp_chunk *chunk,
+ struct sctp_chunk **errp)
+ {
+- char error[] = "The following parameter had invalid length:";
+- size_t payload_len = WORD_ROUND(sizeof(error)) +
+- sizeof(sctp_paramhdr_t);
+-
+-
+ /* This is a fatal error. Any accumulated non-fatal errors are
+ * not reported.
+ */
+@@ -1794,14 +1812,7 @@ static int sctp_process_inv_paramlength(
+ sctp_chunk_free(*errp);
+
+ /* Create an error chunk and fill it in with our payload. */
+- *errp = sctp_make_op_error_space(asoc, chunk, payload_len);
+-
+- if (*errp) {
+- sctp_init_cause(*errp, SCTP_ERROR_PROTO_VIOLATION,
+- sizeof(error) + sizeof(sctp_paramhdr_t));
+- sctp_addto_chunk(*errp, sizeof(error), error);
+- sctp_addto_param(*errp, sizeof(sctp_paramhdr_t), param);
+- }
++ *errp = sctp_make_violation_paramlen(asoc, chunk, param);
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_statefuns.c linux-source-2.6.24/net/sctp/sm_statefuns.c
+--- linux-source-2.6.24.orig/net/sctp/sm_statefuns.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_statefuns.c 2008-11-16 23:30:23.000000000 -0700
+@@ -121,7 +121,7 @@ static sctp_disposition_t sctp_sf_violat
+ const struct sctp_endpoint *ep,
+ const struct sctp_association *asoc,
+ const sctp_subtype_t type,
+- void *arg,
++ void *arg, void *ext,
+ sctp_cmd_seq_t *commands);
+
+ static sctp_disposition_t sctp_sf_violation_ctsn(
+@@ -3388,7 +3388,7 @@ sctp_disposition_t sctp_sf_do_asconf(con
+ addr_param = (union sctp_addr_param *)hdr->params;
+ length = ntohs(addr_param->p.length);
+ if (length < sizeof(sctp_paramhdr_t))
+- return sctp_sf_violation_paramlen(ep, asoc, type,
++ return sctp_sf_violation_paramlen(ep, asoc, type, arg,
+ (void *)addr_param, commands);
+
+ /* Verify the ASCONF chunk before processing it. */
+@@ -3396,8 +3396,8 @@ sctp_disposition_t sctp_sf_do_asconf(con
+ (sctp_paramhdr_t *)((void *)addr_param + length),
+ (void *)chunk->chunk_end,
+ &err_param))
+- return sctp_sf_violation_paramlen(ep, asoc, type,
+- (void *)&err_param, commands);
++ return sctp_sf_violation_paramlen(ep, asoc, type, arg,
++ (void *)err_param, commands);
+
+ /* ADDIP 4.2 C1) Compare the value of the serial number to the value
+ * the endpoint stored in a new association variable
+@@ -3476,8 +3476,8 @@ sctp_disposition_t sctp_sf_do_asconf_ack
+ (sctp_paramhdr_t *)addip_hdr->params,
+ (void *)asconf_ack->chunk_end,
+ &err_param))
+- return sctp_sf_violation_paramlen(ep, asoc, type,
+- (void *)&err_param, commands);
++ return sctp_sf_violation_paramlen(ep, asoc, type, arg,
++ (void *)err_param, commands);
+
+ if (last_asconf) {
+ addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
+@@ -4152,12 +4152,38 @@ static sctp_disposition_t sctp_sf_violat
+ const struct sctp_endpoint *ep,
+ const struct sctp_association *asoc,
+ const sctp_subtype_t type,
+- void *arg,
+- sctp_cmd_seq_t *commands) {
+- char err_str[] = "The following parameter had invalid length:";
++ void *arg, void *ext,
++ sctp_cmd_seq_t *commands)
++{
++ struct sctp_chunk *chunk = arg;
++ struct sctp_paramhdr *param = ext;
++ struct sctp_chunk *abort = NULL;
+
+- return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
+- sizeof(err_str));
++ if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
++ goto discard;
++
++ /* Make the abort chunk. */
++ abort = sctp_make_violation_paramlen(asoc, chunk, param);
++ if (!abort)
++ goto nomem;
++
++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++ SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
++
++ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
++ SCTP_ERROR(ECONNABORTED));
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
++ SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
++ SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
++
++discard:
++ sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
++
++ SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
++
++ return SCTP_DISPOSITION_ABORT;
++nomem:
++ return SCTP_DISPOSITION_NOMEM;
+ }
+
+ /* Handle a protocol violation when the peer trying to advance the
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7 (original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7 Mon Nov 17 06:35:04 2008
@@ -5,3 +5,4 @@
+ bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
+ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
++ bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch
More information about the Kernel-svn-changes
mailing list