[kernel] r12390 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 17 06:35:06 UTC 2008 

Author: dannf
Date: Mon Nov 17 06:35:04 2008
New Revision: 12390

Log:
sctp: Fix possible kernel panic in sctp_sf_abort_violation (CVE-2008-4618)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Nov 17 06:35:04 2008
@@ -9,8 +9,9 @@
   * Avoid printk floods when reading corrupted ext[2,3] directories
     (CVE-2008-3528)
   * Fix oops in SCTP (CVE-2008-4576)
+  * sctp: Fix possible kernel panic in sctp_sf_abort_violation (CVE-2008-4618)
 
- -- dann frazier <dannf at debian.org>  Sun, 16 Nov 2008 23:21:38 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 16 Nov 2008 23:32:14 -0700
 
 linux-2.6.24 (2.6.24-6~etchnhalf.6) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch	Mon Nov 17 06:35:04 2008
@@ -0,0 +1,186 @@
+commit ba0166708ef4da7eeb61dd92bbba4d5a749d6561
+Author: Wei Yongjun <yjwei at cn.fujitsu.com>
+Date:   Tue Sep 30 05:32:24 2008 -0700
+
+    sctp: Fix kernel panic while process protocol violation parameter
+    
+    Since call to function sctp_sf_abort_violation() need paramter 'arg' with
+    'struct sctp_chunk' type, it will read the chunk type and chunk length from
+    the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
+    always with 'struct sctp_paramhdr' type's parameter, it will be passed to
+    sctp_sf_abort_violation(). This may cause kernel panic.
+    
+       sctp_sf_violation_paramlen()
+         |-- sctp_sf_abort_violation()
+            |-- sctp_make_abort_violation()
+    
+    This patch fixed this problem. This patch also fix two place which called
+    sctp_sf_violation_paramlen() with wrong paramter type.
+    
+    Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/include/net/sctp/sm.h linux-source-2.6.24/include/net/sctp/sm.h
+--- linux-source-2.6.24.orig/include/net/sctp/sm.h	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/include/net/sctp/sm.h	2008-11-16 23:25:24.000000000 -0700
+@@ -227,6 +227,9 @@ struct sctp_chunk *sctp_make_abort_viola
+ 				   const struct sctp_chunk *,
+ 				   const __u8 *,
+ 				   const size_t );
++struct sctp_chunk *sctp_make_violation_paramlen(const struct sctp_association *,
++				   const struct sctp_chunk *,
++				   struct sctp_paramhdr *);
+ struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *,
+ 				  const struct sctp_transport *,
+ 				  const void *payload,
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c linux-source-2.6.24/net/sctp/sm_make_chunk.c
+--- linux-source-2.6.24.orig/net/sctp/sm_make_chunk.c	2008-11-16 23:23:39.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_make_chunk.c	2008-11-16 23:26:48.000000000 -0700
+@@ -1012,6 +1012,29 @@ end:
+ 	return retval;
+ }
+ 
++struct sctp_chunk *sctp_make_violation_paramlen(
++	const struct sctp_association *asoc,
++	const struct sctp_chunk *chunk,
++	struct sctp_paramhdr *param)
++{
++	struct sctp_chunk *retval;
++	static const char error[] = "The following parameter had invalid length:";
++	size_t payload_len = sizeof(error) + sizeof(sctp_errhdr_t) +
++				sizeof(sctp_paramhdr_t);
++
++	retval = sctp_make_abort(asoc, chunk, payload_len);
++	if (!retval)
++		goto nodata;
++
++	sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION,
++			sizeof(error) + sizeof(sctp_paramhdr_t));
++	sctp_addto_chunk(retval, sizeof(error), error);
++	sctp_addto_param(retval, sizeof(sctp_paramhdr_t), param);
++
++nodata:
++	return retval;
++}
++
+ /* Make a HEARTBEAT chunk.  */
+ struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
+ 				  const struct sctp_transport *transport,
+@@ -1782,11 +1805,6 @@ static int sctp_process_inv_paramlength(
+ 					const struct sctp_chunk *chunk,
+ 					struct sctp_chunk **errp)
+ {
+-	char		error[] = "The following parameter had invalid length:";
+-	size_t		payload_len = WORD_ROUND(sizeof(error)) +
+-						sizeof(sctp_paramhdr_t);
+-
+-
+ 	/* This is a fatal error.  Any accumulated non-fatal errors are
+ 	 * not reported.
+ 	 */
+@@ -1794,14 +1812,7 @@ static int sctp_process_inv_paramlength(
+ 		sctp_chunk_free(*errp);
+ 
+ 	/* Create an error chunk and fill it in with our payload. */
+-	*errp = sctp_make_op_error_space(asoc, chunk, payload_len);
+-
+-	if (*errp) {
+-		sctp_init_cause(*errp, SCTP_ERROR_PROTO_VIOLATION,
+-				sizeof(error) + sizeof(sctp_paramhdr_t));
+-		sctp_addto_chunk(*errp, sizeof(error), error);
+-		sctp_addto_param(*errp, sizeof(sctp_paramhdr_t), param);
+-	}
++	*errp = sctp_make_violation_paramlen(asoc, chunk, param);
+ 
+ 	return 0;
+ }
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_statefuns.c linux-source-2.6.24/net/sctp/sm_statefuns.c
+--- linux-source-2.6.24.orig/net/sctp/sm_statefuns.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_statefuns.c	2008-11-16 23:30:23.000000000 -0700
+@@ -121,7 +121,7 @@ static sctp_disposition_t sctp_sf_violat
+ 				     const struct sctp_endpoint *ep,
+ 				     const struct sctp_association *asoc,
+ 				     const sctp_subtype_t type,
+-				     void *arg,
++				     void *arg, void *ext,
+ 				     sctp_cmd_seq_t *commands);
+ 
+ static sctp_disposition_t sctp_sf_violation_ctsn(
+@@ -3388,7 +3388,7 @@ sctp_disposition_t sctp_sf_do_asconf(con
+ 	addr_param = (union sctp_addr_param *)hdr->params;
+ 	length = ntohs(addr_param->p.length);
+ 	if (length < sizeof(sctp_paramhdr_t))
+-		return sctp_sf_violation_paramlen(ep, asoc, type,
++		return sctp_sf_violation_paramlen(ep, asoc, type, arg,
+ 			   (void *)addr_param, commands);
+ 
+ 	/* Verify the ASCONF chunk before processing it. */
+@@ -3396,8 +3396,8 @@ sctp_disposition_t sctp_sf_do_asconf(con
+ 	    (sctp_paramhdr_t *)((void *)addr_param + length),
+ 	    (void *)chunk->chunk_end,
+ 	    &err_param))
+-		return sctp_sf_violation_paramlen(ep, asoc, type,
+-			   (void *)&err_param, commands);
++		return sctp_sf_violation_paramlen(ep, asoc, type, arg,
++ 						  (void *)err_param, commands);
+ 
+ 	/* ADDIP 4.2 C1) Compare the value of the serial number to the value
+ 	 * the endpoint stored in a new association variable
+@@ -3476,8 +3476,8 @@ sctp_disposition_t sctp_sf_do_asconf_ack
+ 	    (sctp_paramhdr_t *)addip_hdr->params,
+ 	    (void *)asconf_ack->chunk_end,
+ 	    &err_param))
+-		return sctp_sf_violation_paramlen(ep, asoc, type,
+-			   (void *)&err_param, commands);
++		return sctp_sf_violation_paramlen(ep, asoc, type, arg,
++			   (void *)err_param, commands);
+ 
+ 	if (last_asconf) {
+ 		addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
+@@ -4152,12 +4152,38 @@ static sctp_disposition_t sctp_sf_violat
+ 				     const struct sctp_endpoint *ep,
+ 				     const struct sctp_association *asoc,
+ 				     const sctp_subtype_t type,
+-				     void *arg,
+-				     sctp_cmd_seq_t *commands) {
+-	char err_str[] = "The following parameter had invalid length:";
++				     void *arg, void *ext,
++				     sctp_cmd_seq_t *commands)
++{
++	struct sctp_chunk *chunk =  arg;
++	struct sctp_paramhdr *param = ext;
++	struct sctp_chunk *abort = NULL;
+ 
+-	return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
+-					sizeof(err_str));
++	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
++		goto discard;
++
++	/* Make the abort chunk. */
++	abort = sctp_make_violation_paramlen(asoc, chunk, param);
++	if (!abort)
++		goto nomem;
++
++	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++	SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
++
++	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
++			SCTP_ERROR(ECONNABORTED));
++	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
++			SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
++	SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
++
++discard:
++	sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
++
++	SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
++
++	return SCTP_DISPOSITION_ABORT;
++nomem:
++	return SCTP_DISPOSITION_NOMEM;
+ }
+ 
+ /* Handle a protocol violation when the peer trying to advance the

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	Mon Nov 17 06:35:04 2008
@@ -5,3 +5,4 @@
 + bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
 + bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
 + bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
++ bugfix/all/sctp-fix-kernel-panic-while-process-protocol-violation-parameter.patch

More information about the Kernel-svn-changes mailing list