[kernel] r13954 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jul 17 05:43:32 UTC 2009
Author: dannf
Date: Fri Jul 17 05:43:29 2009
New Revision: 13954
Log:
Fix NULL pointer dereference in tun_chr_pool() (CVE-2009-1897)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/3
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Jul 16 20:44:45 2009 (r13953)
+++ dists/sid/linux-2.6/debian/changelog Fri Jul 17 05:43:29 2009 (r13954)
@@ -9,6 +9,9 @@
[ Aurelien Jarno ]
* [ia64] Fix asm/fpu.h includes.
+ [ dann frazier ]
+ * Fix NULL pointer dereference in tun_chr_pool() (CVE-2009-1897)
+
-- Bastian Blank <waldi at debian.org> Wed, 08 Jul 2009 09:51:46 +0200
linux-2.6 (2.6.30-2) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch Fri Jul 17 05:43:29 2009 (r13954)
@@ -0,0 +1,41 @@
+commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
+Author: Mariusz Kozlowski <m.kozlowski at tuxland.pl>
+Date: Sun Jul 5 19:48:35 2009 +0000
+
+ tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
+
+ Fix NULL pointer dereference in tun_chr_pool() introduced by commit
+ 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
+ packets per device") and triggered by this code:
+
+ int fd;
+ struct pollfd pfd;
+ fd = open("/dev/net/tun", O_RDWR);
+ pfd.fd = fd;
+ pfd.events = POLLIN | POLLOUT;
+ poll(&pfd, 1, 0);
+
+ Reported-by: Eugene Kapun <abacabadabacaba at gmail.com>
+ Signed-off-by: Mariusz Kozlowski <m.kozlowski at tuxland.pl>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index b393536..027f7ab 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
+ {
+ struct tun_file *tfile = file->private_data;
+ struct tun_struct *tun = __tun_get(tfile);
+- struct sock *sk = tun->sk;
++ struct sock *sk;
+ unsigned int mask = 0;
+
+ if (!tun)
+ return POLLERR;
+
++ sk = tun->sk;
++
+ DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
+
+ poll_wait(file, &tun->socket.wait, wait);
Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3 Thu Jul 16 20:44:45 2009 (r13953)
+++ dists/sid/linux-2.6/debian/patches/series/3 Fri Jul 17 05:43:29 2009 (r13954)
@@ -1,2 +1,3 @@
+ bugfix/arm/export-__cpuc_flush_dcache_page.patch
+ bugfix/ia64/fix-asm-fpu-h.patch
++ bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
More information about the Kernel-svn-changes
mailing list