[kernel] r14707 - in dists/trunk/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Tue Dec 1 05:39:46 UTC 2009 

Author: dannf
Date: Tue Dec  1 05:39:18 2009
New Revision: 14707

Log:
mac80211: fix two remote exploits (CVE pending)

Added:
   dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
Modified:
   dists/trunk/linux-2.6/debian/changelog
   dists/trunk/linux-2.6/debian/patches/series/base

Modified: dists/trunk/linux-2.6/debian/changelog
==============================================================================
--- dists/trunk/linux-2.6/debian/changelog	Tue Dec  1 01:19:44 2009	(r14706)
+++ dists/trunk/linux-2.6/debian/changelog	Tue Dec  1 05:39:18 2009	(r14707)
@@ -27,6 +27,9 @@
     MMC/SD cards to be assumed non-removable, and filesystems on them
     will remain mounted over a suspend/resume cycle. (Closes: #504391)
 
+  [ dann frazier ]
+  * mac80211: fix two remote exploits (CVE pending)
+
  -- Martin Michlmayr <tbm at cyrius.com>  Sun, 22 Nov 2009 13:56:12 +0000
 
 linux-2.6 (2.6.32~rc8-1~experimental.1) unstable; urgency=low

Added: dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch	Tue Dec  1 05:39:18 2009	(r14707)
@@ -0,0 +1,60 @@
+commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date:   Fri Nov 20 09:15:51 2009 +0100
+
+    mac80211: fix two remote exploits
+    
+    Lennert Buytenhek noticed a remotely triggerable problem
+    in mac80211, which is due to some code shuffling I did
+    that ended up changing the order in which things were
+    done -- this was in
+    
+      commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+      Author: Johannes Berg <johannes at sipsolutions.net>
+      Date:   Tue Feb 10 21:25:53 2009 +0100
+    
+        mac80211: RX aggregation: clean up stop session
+    
+    The problem is that the BUG_ON moved before the various
+    checks, and as such can be triggered.
+    
+    As the comment indicates, the BUG_ON can be removed since
+    the ampdu_action callback must already exist when the
+    state is OPERATIONAL.
+    
+    A similar code path leads to a WARN_ON in
+    ieee80211_stop_tx_ba_session, which can also be removed.
+    
+    Cc: stable at kernel.org [2.6.29+]
+    Cc: Lennert Buytenhek <buytenh at marvell.com>
+    Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+    Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index bc064d7..ce8e0e7 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
+ 	struct ieee80211_local *local = sdata->local;
+ 	struct sta_info *sta;
+ 
+-	/* stop HW Rx aggregation. ampdu_action existence
+-	 * already verified in session init so we add the BUG_ON */
+-	BUG_ON(!local->ops->ampdu_action);
+-
+ 	rcu_read_lock();
+ 
+ 	sta = sta_info_get(local, ra);
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 206fd82..63224d1 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
+ 	struct sta_info *sta;
+ 	int ret = 0;
+ 
+-	if (WARN_ON(!local->ops->ampdu_action))
++	if (!local->ops->ampdu_action)
+ 		return -EINVAL;
+ 
+ 	if (tid >= STA_TID_NUM)

Modified: dists/trunk/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/trunk/linux-2.6/debian/patches/series/base	Tue Dec  1 01:19:44 2009	(r14706)
+++ dists/trunk/linux-2.6/debian/patches/series/base	Tue Dec  1 05:39:18 2009	(r14707)
@@ -54,3 +54,4 @@
 + bugfix/all/DocBook-media-copy-images-after-building-HTML.patch
 + bugfix/all/DocBook-media-create-links-for-included-sources.patch
 + features/all/mmc-parameter-set-whether-cards-are-assumed-removable.patch
++ bugfix/all/mac80211-fix-two-remote-exploits.patch

More information about the Kernel-svn-changes mailing list