[kernel] r14484 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Oct 28 05:47:11 UTC 2009
Author: dannf
Date: Wed Oct 28 05:47:10 2009
New Revision: 14484
Log:
appletalk: Fix skb leak when ipddp interface is not loaded
(CVE-2009-2903)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
- copied unchanged from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
- copied, changed from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Wed Oct 28 05:36:21 2009 (r14483)
+++ dists/etch-security/linux-2.6.24/debian/changelog Wed Oct 28 05:47:10 2009 (r14484)
@@ -6,6 +6,8 @@
* execve: must clear current->clear_child_tid (CVE-2009-2848)
* md: avoid dereferencing NULL pointer when accessing suspend_* sysfs
attributes (CVE-2009-2849)
+ * appletalk: Fix skb leak when ipddp interface is not loaded
+ (CVE-2009-2903)
-- dann frazier <dannf at debian.org> Tue, 27 Oct 2009 22:41:25 -0600
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch (from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch Wed Oct 28 05:47:10 2009 (r14484, copy of r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch)
@@ -0,0 +1,182 @@
+commit ffcfb8db540ff879c2a85bf7e404954281443414
+Author: Arnaldo Carvalho de Melo <acme at redhat.com>
+Date: Fri Sep 11 11:35:22 2009 -0700
+
+ Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
+
+ And also do a better job of returning proper NET_{RX,XMIT}_ values.
+
+ Based on a patch and suggestions by Mark Smith.
+
+ This fixes CVE-2009-2903
+
+ Reported-by: Mark Smith <lk-netdev at lk-netdev.nosense.org>
+ Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c linux-source-2.6.26/drivers/net/appletalk/ipddp.c
+--- linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/appletalk/ipddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk
+ ((struct net_device_stats *) dev->priv)->tx_packets++;
+ ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len;
+
+- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
+- dev_kfree_skb(skb);
++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.26.orig/net/appletalk/aarp.c linux-source-2.6.26/net/appletalk/aarp.c
+--- linux-source-2.6.26.orig/net/appletalk/aarp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/aarp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev
+
+ /* Non ELAP we cannot do. */
+ if (dev->type != ARPHRD_ETHER)
+- return -1;
++ goto free_it;
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_ATALK);
+@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev
+ if (!a) {
+ /* Whoops slipped... good job it's an unreliable protocol 8) */
+ write_unlock_bh(&aarp_lock);
+- return -1;
++ goto free_it;
+ }
+
+ /* Set up the queue */
+@@ -662,14 +662,19 @@ out_unlock:
+ write_unlock_bh(&aarp_lock);
+
+ /* Tell the ddp layer we have taken over for this frame. */
+- return 0;
++ goto sent;
+
+ sendit:
+ if (skb->sk)
+ skb->priority = skb->sk->sk_priority;
+- dev_queue_xmit(skb);
++ if (dev_queue_xmit(skb))
++ goto drop;
+ sent:
+- return 1;
++ return NET_XMIT_SUCCESS;
++free_it:
++ kfree_skb(skb);
++drop:
++ return NET_XMIT_DROP;
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
+--- linux-source-2.6.26.orig/net/appletalk/ddp.c 2009-09-16 00:03:02.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -1276,8 +1276,10 @@ static int handle_ip_over_ddp(struct sk_
+ struct net_device_stats *stats;
+
+ /* This needs to be able to handle ipddp"N" devices */
+- if (!dev)
+- return -ENODEV;
++ if (!dev) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
+
+ skb->protocol = htons(ETH_P_IP);
+ skb_pull(skb, 13);
+@@ -1287,8 +1289,7 @@ static int handle_ip_over_ddp(struct sk_
+ stats = dev->priv;
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len + 13;
+- netif_rx(skb); /* Send the SKB up to a higher place. */
+- return 0;
++ return netif_rx(skb); /* Send the SKB up to a higher place. */
+ }
+ #else
+ /* make it easy for gcc to optimize this test out, i.e. kill the code */
+@@ -1296,9 +1297,8 @@ static int handle_ip_over_ddp(struct sk_
+ #define handle_ip_over_ddp(skb) 0
+ #endif
+
+-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, __u16 len_hops,
+- int origlen)
++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
++ struct ddpehdr *ddp, __u16 len_hops, int origlen)
+ {
+ struct atalk_route *rt;
+ struct atalk_addr ta;
+@@ -1365,8 +1365,6 @@ static void atalk_route_packet(struct sk
+ /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
+ struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
+ kfree_skb(skb);
+- if (!nskb)
+- goto out;
+ skb = nskb;
+ } else
+ skb = skb_unshare(skb, GFP_ATOMIC);
+@@ -1375,12 +1373,16 @@ static void atalk_route_packet(struct sk
+ * If the buffer didn't vanish into the lack of space bitbucket we can
+ * send it.
+ */
+- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
+- goto free_it;
+-out:
+- return;
++ if (skb == NULL)
++ goto drop;
++
++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
++ return NET_RX_DROP;
++ return NET_XMIT_SUCCESS;
+ free_it:
+ kfree_skb(skb);
++drop:
++ return NET_RX_DROP;
+ }
+
+ /**
+@@ -1454,8 +1456,7 @@ static int atalk_rcv(struct sk_buff *skb
+ /* Not ours, so we route the packet via the correct
+ * AppleTalk iface
+ */
+- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- return NET_RX_SUCCESS;
++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1665,10 +1666,10 @@ static int atalk_sendmsg(struct kiocb *i
+ if (skb2) {
+ loopback = 1;
+ SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
+- if (aarp_send_ddp(dev, skb2,
+- &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb2);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
+ }
+ }
+
+@@ -1698,9 +1699,10 @@ static int atalk_sendmsg(struct kiocb *i
+ usat = &gsat;
+ }
+
+- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
+ }
+ SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
+
Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch (from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch)
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch Wed Oct 28 01:27:56 2009 (r14470, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch Wed Oct 28 05:47:10 2009 (r14484)
@@ -19,21 +19,21 @@
Signed-off-by: Mark Smith <markzzzsmith at yahoo.com.au>
Signed-off-by: David S. Miller <davem at davemloft.net>
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
-diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
---- linux-source-2.6.26.orig/net/appletalk/ddp.c 2008-07-13 15:51:29.000000000 -0600
-+++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-15 22:35:19.000000000 -0600
-@@ -1406,7 +1406,7 @@ static int atalk_rcv(struct sk_buff *skb
+diff -urpN linux-source-2.6.24.orig/net/appletalk/ddp.c linux-source-2.6.24/net/appletalk/ddp.c
+--- linux-source-2.6.24.orig/net/appletalk/ddp.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/appletalk/ddp.c 2009-10-27 23:41:24.000000000 -0600
+@@ -1407,7 +1407,7 @@ static int atalk_rcv(struct sk_buff *skb
__u16 len_hops;
- if (dev_net(dev) != &init_net)
+ if (dev->nd_net != &init_net)
- goto freeit;
+ goto drop;
/* Don't mangle buffer if shared */
if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
-@@ -1414,7 +1414,7 @@ static int atalk_rcv(struct sk_buff *skb
+@@ -1415,7 +1415,7 @@ static int atalk_rcv(struct sk_buff *skb
/* Size check and make sure header is contiguous */
if (!pskb_may_pull(skb, sizeof(*ddp)))
@@ -42,7 +42,7 @@
ddp = ddp_hdr(skb);
-@@ -1432,7 +1432,7 @@ static int atalk_rcv(struct sk_buff *skb
+@@ -1433,7 +1433,7 @@ static int atalk_rcv(struct sk_buff *skb
if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
"skb->len=%u)\n", len_hops & 1023, skb->len);
@@ -51,7 +51,7 @@
}
/*
-@@ -1442,7 +1442,7 @@ static int atalk_rcv(struct sk_buff *skb
+@@ -1443,7 +1443,7 @@ static int atalk_rcv(struct sk_buff *skb
if (ddp->deh_sum &&
atalk_checksum(skb, len_hops & 1023) != ddp->deh_sum)
/* Not a valid AppleTalk frame - dustbin time */
@@ -60,7 +60,7 @@
/* Check the packet is aimed at us */
if (!ddp->deh_dnet) /* Net 0 is 'this network' */
-@@ -1455,7 +1455,7 @@ static int atalk_rcv(struct sk_buff *skb
+@@ -1456,7 +1456,7 @@ static int atalk_rcv(struct sk_buff *skb
* AppleTalk iface
*/
atalk_route_packet(skb, dev, ddp, len_hops, origlen);
@@ -69,7 +69,7 @@
}
/* if IP over DDP is not selected this code will be optimized out */
-@@ -1471,18 +1471,21 @@ static int atalk_rcv(struct sk_buff *skb
+@@ -1472,18 +1472,21 @@ static int atalk_rcv(struct sk_buff *skb
sock = atalk_search_socket(&tosat, atif);
if (!sock) /* But not one of our sockets */
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Oct 28 05:36:21 2009 (r14483)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Oct 28 05:47:10 2009 (r14484)
@@ -2,3 +2,5 @@
+ bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
+ bugfix/all/execve-must-clear-current-clear_child_tid.patch
+ bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch
++ bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
++ bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
More information about the Kernel-svn-changes
mailing list