[kernel] r14757 - in dists/squeeze-security: . linux-2.6 linux-2.6/debian linux-2.6/debian/patches/bugfix/all linux-2.6/debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Dec 8 22:59:39 UTC 2009
Author: dannf
Date: Tue Dec 8 22:59:37 2009
New Revision: 14757
Log:
Commit the changes from the pending testing-security update, now that the
issues are all public.
Added:
dists/squeeze-security/
dists/squeeze-security/linux-2.6/
- copied from r14719, releases/linux-2.6/2.6.30-8/
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv4-missing-container_of-change.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
dists/squeeze-security/linux-2.6/debian/patches/series/8squeeze1
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- releases/linux-2.6/2.6.30-8/debian/changelog Thu Dec 3 11:20:21 2009 (r14719)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue Dec 8 22:59:37 2009 (r14757)
@@ -1,3 +1,13 @@
+linux-2.6 (2.6.30-8squeeze1) testing-security; urgency=high
+
+ * ipv4: additional update of dev_net(dev) to struct *net
+ in ip_fragment.c, NULL ptr OOPS (CVE-2009-1298)
+ * mac80211 (CVE-2009-4026, CVE-2009-4027):
+ - fix two remote exploits
+ - fix spurious delBA handling
+
+ -- dann frazier <dannf at debian.org> Thu, 03 Dec 2009 15:12:36 -0700
+
linux-2.6 (2.6.30-8) unstable; urgency=low
[ Martin Michlmayr ]
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv4-missing-container_of-change.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv4-missing-container_of-change.patch Tue Dec 8 22:59:37 2009 (r14757)
@@ -0,0 +1,34 @@
+commit bbf31bf18d34caa87dd01f08bf713635593697f2
+Author: David Ford <david at blue-labs.org>
+Date: Sun Nov 29 23:02:22 2009 -0800
+
+ ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
+
+ ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
+ previously patched into 2.6.29.
+
+ Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
+ changing from dev_net(dev) to container_of(...). Unfortunately the goto
+ section (out_fail) on oversized packets inside ip_frag_reasm() didn't
+ get touched up as well. Oversized IP packets cause a NULL pointer
+ dereference and immediate hang.
+
+ I discovered this running openvasd and my previous email on this is
+ titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
+
+ Signed-off-by: David Ford <david at blue-labs.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 575f9bd..d3fe10b 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -563,7 +563,7 @@ out_oversize:
+ printk(KERN_INFO "Oversized IP packet from %pI4.\n",
+ &qp->saddr);
+ out_fail:
+- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_REASMFAILS);
++ IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+ return err;
+ }
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch Tue Dec 8 22:59:37 2009 (r14757)
@@ -0,0 +1,177 @@
+commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date: Sun Nov 22 12:28:41 2009 +0100
+
+ mac80211: fix spurious delBA handling
+
+ Lennert Buytenhek noticed that delBA handling in mac80211
+ was broken and has remotely triggerable problems, some of
+ which are due to some code shuffling I did that ended up
+ changing the order in which things were done -- this was
+
+ commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+ Author: Johannes Berg <johannes at sipsolutions.net>
+ Date: Tue Feb 10 21:25:53 2009 +0100
+
+ mac80211: RX aggregation: clean up stop session
+
+ and other parts were already present in the original
+
+ commit d92684e66091c0f0101819619b315b4bb8b5bcc5
+ Author: Ron Rindjunsky <ron.rindjunsky at intel.com>
+ Date: Mon Jan 28 14:07:22 2008 +0200
+
+ mac80211: A-MPDU Tx add delBA from recipient support
+
+ The first problem is that I moved a BUG_ON before various
+ checks -- thereby making it possible to hit. As the comment
+ indicates, the BUG_ON can be removed since the ampdu_action
+ callback must already exist when the state is != IDLE.
+
+ The second problem isn't easily exploitable but there's a
+ race condition due to unconditionally setting the state to
+ OPERATIONAL when a delBA frame is received, even when no
+ aggregation session was ever initiated. All the drivers
+ accept stopping the session even then, but that opens a
+ race window where crashes could happen before the driver
+ accepts it. Right now, a WARN_ON may happen with non-HT
+ drivers, while the race opens only for HT drivers.
+
+ For this case, there are two things necessary to fix it:
+ 1) don't process spurious delBA frames, and be more careful
+ about the session state; don't drop the lock
+
+ 2) HT drivers need to be prepared to handle a session stop
+ even before the session was really started -- this is
+ true for all drivers (that support aggregation) but
+ iwlwifi which can be fixed easily. The other HT drivers
+ (ath9k and ar9170) are behaving properly already.
+
+ Reported-by: Lennert Buytenhek <buytenh at marvell.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c
+index fb9bcfa..b7e196e 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-tx.c
++++ b/drivers/net/wireless/iwlwifi/iwl-tx.c
+@@ -1277,8 +1277,16 @@ int iwl_tx_agg_stop(struct iwl_priv *priv , const u8 *ra, u16 tid)
+ return -ENXIO;
+ }
+
++ if (priv->stations[sta_id].tid[tid].agg.state ==
++ IWL_EMPTYING_HW_QUEUE_ADDBA) {
++ IWL_DEBUG_HT(priv, "AGG stop before setup done\n");
++ ieee80211_stop_tx_ba_cb_irqsafe(priv->hw, ra, tid);
++ priv->stations[sta_id].tid[tid].agg.state = IWL_AGG_OFF;
++ return 0;
++ }
++
+ if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_ON)
+- IWL_WARN(priv, "Stopping AGG while state not IWL_AGG_ON\n");
++ IWL_WARN(priv, "Stopping AGG while state not ON or starting\n");
+
+ tid_data = &priv->stations[sta_id].tid[tid];
+ ssn = (tid_data->seq_number & IEEE80211_SCTL_SEQ) >> 4;
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index c75b960..998c30f 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -1283,6 +1283,12 @@ enum ieee80211_filter_flags {
+ *
+ * These flags are used with the ampdu_action() callback in
+ * &struct ieee80211_ops to indicate which action is needed.
++ *
++ * Note that drivers MUST be able to deal with a TX aggregation
++ * session being stopped even before they OK'ed starting it by
++ * calling ieee80211_start_tx_ba_cb(_irqsafe), because the peer
++ * might receive the addBA frame and send a delBA right away!
++ *
+ * @IEEE80211_AMPDU_RX_START: start Rx aggregation
+ * @IEEE80211_AMPDU_RX_STOP: stop Rx aggregation
+ * @IEEE80211_AMPDU_TX_START: start Tx aggregation
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 63224d1..89e238b 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -123,13 +123,18 @@ void ieee80211_send_bar(struct ieee80211_sub_if_data *sdata, u8 *ra, u16 tid, u1
+ ieee80211_tx_skb(sdata, skb, 0);
+ }
+
+-static int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+- enum ieee80211_back_parties initiator)
++int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
++ enum ieee80211_back_parties initiator)
+ {
+ struct ieee80211_local *local = sta->local;
+ int ret;
+ u8 *state;
+
++#ifdef CONFIG_MAC80211_HT_DEBUG
++ printk(KERN_DEBUG "Tx BA session stop requested for %pM tid %u\n",
++ sta->sta.addr, tid);
++#endif /* CONFIG_MAC80211_HT_DEBUG */
++
+ state = &sta->ampdu_mlme.tid_state_tx[tid];
+
+ if (*state == HT_AGG_STATE_OPERATIONAL)
+@@ -143,7 +148,6 @@ static int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+
+ /* HW shall not deny going back to legacy */
+ if (WARN_ON(ret)) {
+- *state = HT_AGG_STATE_OPERATIONAL;
+ /*
+ * We may have pending packets get stuck in this case...
+ * Not bothering with a workaround for now.
+@@ -525,11 +529,6 @@ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+ goto unlock;
+ }
+
+-#ifdef CONFIG_MAC80211_HT_DEBUG
+- printk(KERN_DEBUG "Tx BA session stop requested for %pM tid %u\n",
+- sta->sta.addr, tid);
+-#endif /* CONFIG_MAC80211_HT_DEBUG */
+-
+ ret = ___ieee80211_stop_tx_ba_session(sta, tid, initiator);
+
+ unlock:
+diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
+index 48ef1a2..cdc58e6 100644
+--- a/net/mac80211/ht.c
++++ b/net/mac80211/ht.c
+@@ -141,7 +141,6 @@ void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta,
+ struct ieee80211_mgmt *mgmt, size_t len)
+ {
+- struct ieee80211_local *local = sdata->local;
+ u16 tid, params;
+ u16 initiator;
+
+@@ -161,10 +160,9 @@ void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
+ WLAN_BACK_INITIATOR, 0);
+ else { /* WLAN_BACK_RECIPIENT */
+ spin_lock_bh(&sta->lock);
+- sta->ampdu_mlme.tid_state_tx[tid] =
+- HT_AGG_STATE_OPERATIONAL;
++ if (sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK)
++ ___ieee80211_stop_tx_ba_session(sta, tid,
++ WLAN_BACK_RECIPIENT);
+ spin_unlock_bh(&sta->lock);
+- ieee80211_stop_tx_ba_session(&local->hw, sta->sta.addr, tid,
+- WLAN_BACK_RECIPIENT);
+ }
+ }
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index a910bf1..10d316e 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1091,6 +1091,8 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
+
+ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+ enum ieee80211_back_parties initiator);
++int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
++ enum ieee80211_back_parties initiator);
+
+ /* Spectrum management */
+ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch Tue Dec 8 22:59:37 2009 (r14757)
@@ -0,0 +1,60 @@
+commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date: Fri Nov 20 09:15:51 2009 +0100
+
+ mac80211: fix two remote exploits
+
+ Lennert Buytenhek noticed a remotely triggerable problem
+ in mac80211, which is due to some code shuffling I did
+ that ended up changing the order in which things were
+ done -- this was in
+
+ commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+ Author: Johannes Berg <johannes at sipsolutions.net>
+ Date: Tue Feb 10 21:25:53 2009 +0100
+
+ mac80211: RX aggregation: clean up stop session
+
+ The problem is that the BUG_ON moved before the various
+ checks, and as such can be triggered.
+
+ As the comment indicates, the BUG_ON can be removed since
+ the ampdu_action callback must already exist when the
+ state is OPERATIONAL.
+
+ A similar code path leads to a WARN_ON in
+ ieee80211_stop_tx_ba_session, which can also be removed.
+
+ Cc: stable at kernel.org [2.6.29+]
+ Cc: Lennert Buytenhek <buytenh at marvell.com>
+ Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index bc064d7..ce8e0e7 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
+ struct ieee80211_local *local = sdata->local;
+ struct sta_info *sta;
+
+- /* stop HW Rx aggregation. ampdu_action existence
+- * already verified in session init so we add the BUG_ON */
+- BUG_ON(!local->ops->ampdu_action);
+-
+ rcu_read_lock();
+
+ sta = sta_info_get(local, ra);
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 206fd82..63224d1 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
+ struct sta_info *sta;
+ int ret = 0;
+
+- if (WARN_ON(!local->ops->ampdu_action))
++ if (!local->ops->ampdu_action)
+ return -EINVAL;
+
+ if (tid >= STA_TID_NUM)
Added: dists/squeeze-security/linux-2.6/debian/patches/series/8squeeze1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/8squeeze1 Tue Dec 8 22:59:37 2009 (r14757)
@@ -0,0 +1,3 @@
++ bugfix/all/ipv4-missing-container_of-change.patch
++ bugfix/all/mac80211-fix-two-remote-exploits.patch
++ bugfix/all/mac80211-fix-spurious-delBA-handling.patch
More information about the Kernel-svn-changes
mailing list