[kernel] r13954 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Jul 17 05:43:32 UTC 2009 

Author: dannf
Date: Fri Jul 17 05:43:29 2009
New Revision: 13954

Log:
Fix NULL pointer dereference in tun_chr_pool() (CVE-2009-1897)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/3

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Jul 16 20:44:45 2009	(r13953)
+++ dists/sid/linux-2.6/debian/changelog	Fri Jul 17 05:43:29 2009	(r13954)
@@ -9,6 +9,9 @@
   [ Aurelien Jarno ]
   * [ia64] Fix asm/fpu.h includes.
 
+  [ dann frazier ]
+  * Fix NULL pointer dereference in tun_chr_pool() (CVE-2009-1897)
+
  -- Bastian Blank <waldi at debian.org>  Wed, 08 Jul 2009 09:51:46 +0200
 
 linux-2.6 (2.6.30-2) unstable; urgency=low

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch	Fri Jul 17 05:43:29 2009	(r13954)
@@ -0,0 +1,41 @@
+commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
+Author: Mariusz Kozlowski <m.kozlowski at tuxland.pl>
+Date:   Sun Jul 5 19:48:35 2009 +0000
+
+    tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
+    
+    Fix NULL pointer dereference in tun_chr_pool() introduced by commit
+    33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
+    packets per device") and triggered by this code:
+    
+    	int fd;
+    	struct pollfd pfd;
+    	fd = open("/dev/net/tun", O_RDWR);
+    	pfd.fd = fd;
+    	pfd.events = POLLIN | POLLOUT;
+    	poll(&pfd, 1, 0);
+    
+    Reported-by: Eugene Kapun <abacabadabacaba at gmail.com>
+    Signed-off-by: Mariusz Kozlowski <m.kozlowski at tuxland.pl>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index b393536..027f7ab 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
+ {
+ 	struct tun_file *tfile = file->private_data;
+ 	struct tun_struct *tun = __tun_get(tfile);
+-	struct sock *sk = tun->sk;
++	struct sock *sk;
+ 	unsigned int mask = 0;
+ 
+ 	if (!tun)
+ 		return POLLERR;
+ 
++	sk = tun->sk;
++
+ 	DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
+ 
+ 	poll_wait(file, &tun->socket.wait, wait);

Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3	Thu Jul 16 20:44:45 2009	(r13953)
+++ dists/sid/linux-2.6/debian/patches/series/3	Fri Jul 17 05:43:29 2009	(r13954)
@@ -1,2 +1,3 @@
 + bugfix/arm/export-__cpuc_flush_dcache_page.patch
 + bugfix/ia64/fix-asm-fpu-h.patch
++ bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch

More information about the Kernel-svn-changes mailing list