[kernel] r14707 - in dists/trunk/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Dec 1 05:39:46 UTC 2009
Author: dannf
Date: Tue Dec 1 05:39:18 2009
New Revision: 14707
Log:
mac80211: fix two remote exploits (CVE pending)
Added:
dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
Modified:
dists/trunk/linux-2.6/debian/changelog
dists/trunk/linux-2.6/debian/patches/series/base
Modified: dists/trunk/linux-2.6/debian/changelog
==============================================================================
--- dists/trunk/linux-2.6/debian/changelog Tue Dec 1 01:19:44 2009 (r14706)
+++ dists/trunk/linux-2.6/debian/changelog Tue Dec 1 05:39:18 2009 (r14707)
@@ -27,6 +27,9 @@
MMC/SD cards to be assumed non-removable, and filesystems on them
will remain mounted over a suspend/resume cycle. (Closes: #504391)
+ [ dann frazier ]
+ * mac80211: fix two remote exploits (CVE pending)
+
-- Martin Michlmayr <tbm at cyrius.com> Sun, 22 Nov 2009 13:56:12 +0000
linux-2.6 (2.6.32~rc8-1~experimental.1) unstable; urgency=low
Added: dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch Tue Dec 1 05:39:18 2009 (r14707)
@@ -0,0 +1,60 @@
+commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date: Fri Nov 20 09:15:51 2009 +0100
+
+ mac80211: fix two remote exploits
+
+ Lennert Buytenhek noticed a remotely triggerable problem
+ in mac80211, which is due to some code shuffling I did
+ that ended up changing the order in which things were
+ done -- this was in
+
+ commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+ Author: Johannes Berg <johannes at sipsolutions.net>
+ Date: Tue Feb 10 21:25:53 2009 +0100
+
+ mac80211: RX aggregation: clean up stop session
+
+ The problem is that the BUG_ON moved before the various
+ checks, and as such can be triggered.
+
+ As the comment indicates, the BUG_ON can be removed since
+ the ampdu_action callback must already exist when the
+ state is OPERATIONAL.
+
+ A similar code path leads to a WARN_ON in
+ ieee80211_stop_tx_ba_session, which can also be removed.
+
+ Cc: stable at kernel.org [2.6.29+]
+ Cc: Lennert Buytenhek <buytenh at marvell.com>
+ Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index bc064d7..ce8e0e7 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
+ struct ieee80211_local *local = sdata->local;
+ struct sta_info *sta;
+
+- /* stop HW Rx aggregation. ampdu_action existence
+- * already verified in session init so we add the BUG_ON */
+- BUG_ON(!local->ops->ampdu_action);
+-
+ rcu_read_lock();
+
+ sta = sta_info_get(local, ra);
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 206fd82..63224d1 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
+ struct sta_info *sta;
+ int ret = 0;
+
+- if (WARN_ON(!local->ops->ampdu_action))
++ if (!local->ops->ampdu_action)
+ return -EINVAL;
+
+ if (tid >= STA_TID_NUM)
Modified: dists/trunk/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/trunk/linux-2.6/debian/patches/series/base Tue Dec 1 01:19:44 2009 (r14706)
+++ dists/trunk/linux-2.6/debian/patches/series/base Tue Dec 1 05:39:18 2009 (r14707)
@@ -54,3 +54,4 @@
+ bugfix/all/DocBook-media-copy-images-after-building-HTML.patch
+ bugfix/all/DocBook-media-create-links-for-included-sources.patch
+ features/all/mmc-parameter-set-whether-cards-are-assumed-removable.patch
++ bugfix/all/mac80211-fix-two-remote-exploits.patch
More information about the Kernel-svn-changes
mailing list