[kernel] r12189 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Sep 5 18:36:21 UTC 2008 

Author: dannf
Date: Fri Sep  5 18:36:19 2008
New Revision: 12189

Log:
* Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-panics.patch
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-length-in-AUTH_CHUNKS-option.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Sep  5 18:36:19 2008
@@ -11,8 +11,9 @@
   * Fix kernel BUG in tmpfs (CVE-2008-3534)
   * Fix off-by-one error in iov_iter_advance() (CVE-2008-3535)
   * Fix buffer overrun decoding NFSv4 acl (CVE-2008-3915)
+  * Fix panics that may occur if SCTP AUTH is disabled (CVE-2008-3792)
 
- -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 11:38:20 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 12:34:14 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-panics.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-auth-panics.patch	Fri Sep  5 18:36:19 2008
@@ -0,0 +1,21 @@
+commit 5e739d1752aca4e8f3e794d431503bfca3162df4
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Thu Aug 21 03:34:25 2008 -0700
+
+    sctp: fix potential panics in the SCTP-AUTH API.
+    
+    All of the SCTP-AUTH socket options could cause a panic
+    if the extension is disabled and the API is envoked.
+    
+    Additionally, there were some additional assumptions that
+    certain pointers would always be valid which may not
+    always be the case.
+    
+    This patch hardens the API and address all of the crash
+    scenarios.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at hp.com>
+

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-length-in-AUTH_CHUNKS-option.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-length-in-AUTH_CHUNKS-option.patch	Fri Sep  5 18:36:19 2008
@@ -0,0 +1,60 @@
+commit b40db6846847e82daf175641987df29324c425fa
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Wed Feb 27 14:40:37 2008 -0500
+
+    [SCTP]: Incorrect length was used in SCTP_*_AUTH_CHUNKS socket option
+    
+    The chunks are stored inside a parameter structure in the kernel
+    and when we copy them to the user, we need to account for
+    the parameter header.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 44797ad..848df21 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -5070,6 +5070,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
+ 	struct sctp_authchunks val;
+ 	struct sctp_association *asoc;
+ 	struct sctp_chunks_param *ch;
++	u32    num_chunks;
+ 	char __user *to;
+ 
+ 	if (len <= sizeof(struct sctp_authchunks))
+@@ -5086,10 +5087,11 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
+ 	ch = asoc->peer.peer_chunks;
+ 
+ 	/* See if the user provided enough room for all the data */
+-	if (len < ntohs(ch->param_hdr.length))
++	num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
++	if (len < num_chunks)
+ 		return -EINVAL;
+ 
+-	len = ntohs(ch->param_hdr.length);
++	len = num_chunks;
+ 	if (put_user(len, optlen))
+ 		return -EFAULT;
+ 	if (copy_to_user(to, ch->chunks, len))
+@@ -5105,6 +5107,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
+ 	struct sctp_authchunks val;
+ 	struct sctp_association *asoc;
+ 	struct sctp_chunks_param *ch;
++	u32    num_chunks;
+ 	char __user *to;
+ 
+ 	if (len <= sizeof(struct sctp_authchunks))
+@@ -5123,10 +5126,11 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
+ 	else
+ 		ch = sctp_sk(sk)->ep->auth_chunk_list;
+ 
+-	if (len < ntohs(ch->param_hdr.length))
++	num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
++	if (len < num_chunks)
+ 		return -EINVAL;
+ 
+-	len = ntohs(ch->param_hdr.length);
++	len = num_chunks;
+ 	if (put_user(len, optlen))
+ 		return -EFAULT;
+ 	if (copy_to_user(to, ch->chunks, len))

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Fri Sep  5 18:36:19 2008
@@ -8,3 +8,5 @@
 + bugfix/tmpfs-fix-kernel-bug-in-shmem_delete_inode.patch
 + bugfix/iov_iter_advance-off-by-one.patch
 + bugfix/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch
++ bugfix/sctp-fix-length-in-AUTH_CHUNKS-option.patch
++ bugfix/sctp-auth-panics.patch

More information about the Kernel-svn-changes mailing list