[kernel] r14297 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Sep 25 19:11:36 UTC 2009
Author: dannf
Date: Fri Sep 25 19:11:34 2009
New Revision: 14297
Log:
appletalk: Fix skb leak when ipddp interface is not loaded
(CVE-2009-2903)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Sep 25 17:01:43 2009 (r14296)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Sep 25 19:11:34 2009 (r14297)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.26-19lenny1) UNRELEASED; urgency=high
+
+ * appletalk: Fix skb leak when ipddp interface is not loaded
+ (CVE-2009-2903)
+
+ -- dann frazier <dannf at debian.org> Tue, 15 Sep 2009 22:54:06 -0600
+
linux-2.6 (2.6.26-19) stable; urgency=high
[ Moritz Muehlenhoff ]
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch Fri Sep 25 19:11:34 2009 (r14297)
@@ -0,0 +1,182 @@
+commit ffcfb8db540ff879c2a85bf7e404954281443414
+Author: Arnaldo Carvalho de Melo <acme at redhat.com>
+Date: Fri Sep 11 11:35:22 2009 -0700
+
+ Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
+
+ And also do a better job of returning proper NET_{RX,XMIT}_ values.
+
+ Based on a patch and suggestions by Mark Smith.
+
+ This fixes CVE-2009-2903
+
+ Reported-by: Mark Smith <lk-netdev at lk-netdev.nosense.org>
+ Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c linux-source-2.6.26/drivers/net/appletalk/ipddp.c
+--- linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/appletalk/ipddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk
+ ((struct net_device_stats *) dev->priv)->tx_packets++;
+ ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len;
+
+- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
+- dev_kfree_skb(skb);
++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.26.orig/net/appletalk/aarp.c linux-source-2.6.26/net/appletalk/aarp.c
+--- linux-source-2.6.26.orig/net/appletalk/aarp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/aarp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev
+
+ /* Non ELAP we cannot do. */
+ if (dev->type != ARPHRD_ETHER)
+- return -1;
++ goto free_it;
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_ATALK);
+@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev
+ if (!a) {
+ /* Whoops slipped... good job it's an unreliable protocol 8) */
+ write_unlock_bh(&aarp_lock);
+- return -1;
++ goto free_it;
+ }
+
+ /* Set up the queue */
+@@ -662,14 +662,19 @@ out_unlock:
+ write_unlock_bh(&aarp_lock);
+
+ /* Tell the ddp layer we have taken over for this frame. */
+- return 0;
++ goto sent;
+
+ sendit:
+ if (skb->sk)
+ skb->priority = skb->sk->sk_priority;
+- dev_queue_xmit(skb);
++ if (dev_queue_xmit(skb))
++ goto drop;
+ sent:
+- return 1;
++ return NET_XMIT_SUCCESS;
++free_it:
++ kfree_skb(skb);
++drop:
++ return NET_XMIT_DROP;
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
+--- linux-source-2.6.26.orig/net/appletalk/ddp.c 2009-09-16 00:03:02.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -1276,8 +1276,10 @@ static int handle_ip_over_ddp(struct sk_
+ struct net_device_stats *stats;
+
+ /* This needs to be able to handle ipddp"N" devices */
+- if (!dev)
+- return -ENODEV;
++ if (!dev) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
+
+ skb->protocol = htons(ETH_P_IP);
+ skb_pull(skb, 13);
+@@ -1287,8 +1289,7 @@ static int handle_ip_over_ddp(struct sk_
+ stats = dev->priv;
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len + 13;
+- netif_rx(skb); /* Send the SKB up to a higher place. */
+- return 0;
++ return netif_rx(skb); /* Send the SKB up to a higher place. */
+ }
+ #else
+ /* make it easy for gcc to optimize this test out, i.e. kill the code */
+@@ -1296,9 +1297,8 @@ static int handle_ip_over_ddp(struct sk_
+ #define handle_ip_over_ddp(skb) 0
+ #endif
+
+-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, __u16 len_hops,
+- int origlen)
++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
++ struct ddpehdr *ddp, __u16 len_hops, int origlen)
+ {
+ struct atalk_route *rt;
+ struct atalk_addr ta;
+@@ -1365,8 +1365,6 @@ static void atalk_route_packet(struct sk
+ /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
+ struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
+ kfree_skb(skb);
+- if (!nskb)
+- goto out;
+ skb = nskb;
+ } else
+ skb = skb_unshare(skb, GFP_ATOMIC);
+@@ -1375,12 +1373,16 @@ static void atalk_route_packet(struct sk
+ * If the buffer didn't vanish into the lack of space bitbucket we can
+ * send it.
+ */
+- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
+- goto free_it;
+-out:
+- return;
++ if (skb == NULL)
++ goto drop;
++
++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
++ return NET_RX_DROP;
++ return NET_XMIT_SUCCESS;
+ free_it:
+ kfree_skb(skb);
++drop:
++ return NET_RX_DROP;
+ }
+
+ /**
+@@ -1454,8 +1456,7 @@ static int atalk_rcv(struct sk_buff *skb
+ /* Not ours, so we route the packet via the correct
+ * AppleTalk iface
+ */
+- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- return NET_RX_SUCCESS;
++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1665,10 +1666,10 @@ static int atalk_sendmsg(struct kiocb *i
+ if (skb2) {
+ loopback = 1;
+ SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
+- if (aarp_send_ddp(dev, skb2,
+- &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb2);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
+ }
+ }
+
+@@ -1698,9 +1699,10 @@ static int atalk_sendmsg(struct kiocb *i
+ usat = &gsat;
+ }
+
+- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
+ }
+ SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch Fri Sep 25 19:11:34 2009 (r14297)
@@ -0,0 +1,99 @@
+commit 6885ffb3a1b4abf731fd0891a2c1544a83c2651d
+Author: Mark Smith <lk-netdev at lk-netdev.nosense.org>
+Date: Thu Aug 6 23:21:22 2009 +0000
+
+ Use correct NET_RX_* returns for atalk_rcv()
+
+ In all rx'd SKB cases, atalk_rcv() either eventually jumps to or falls through
+ to the label out:, which returns numeric 0. Numeric 0 corresponds to
+ NET_RX_SUCCESS, which is incorrect in failed SKB cases.
+
+ This patch makes atalk_rcv() provide the correct returns by:
+
+ o explicitly returning NET_RX_SUCCESS in the two success cases
+ o having the out: label return NET_RX_DROP, instead of numeric 0
+ o making the failed SKB labels and processing more consistent with other
+ _rcv() routines in the kernel, simplifying validation and removing a
+ backwards goto
+
+ Signed-off-by: Mark Smith <markzzzsmith at yahoo.com.au>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
+--- linux-source-2.6.26.orig/net/appletalk/ddp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-15 22:35:19.000000000 -0600
+@@ -1406,7 +1406,7 @@ static int atalk_rcv(struct sk_buff *skb
+ __u16 len_hops;
+
+ if (dev_net(dev) != &init_net)
+- goto freeit;
++ goto drop;
+
+ /* Don't mangle buffer if shared */
+ if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
+@@ -1414,7 +1414,7 @@ static int atalk_rcv(struct sk_buff *skb
+
+ /* Size check and make sure header is contiguous */
+ if (!pskb_may_pull(skb, sizeof(*ddp)))
+- goto freeit;
++ goto drop;
+
+ ddp = ddp_hdr(skb);
+
+@@ -1432,7 +1432,7 @@ static int atalk_rcv(struct sk_buff *skb
+ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
+ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
+ "skb->len=%u)\n", len_hops & 1023, skb->len);
+- goto freeit;
++ goto drop;
+ }
+
+ /*
+@@ -1442,7 +1442,7 @@ static int atalk_rcv(struct sk_buff *skb
+ if (ddp->deh_sum &&
+ atalk_checksum(skb, len_hops & 1023) != ddp->deh_sum)
+ /* Not a valid AppleTalk frame - dustbin time */
+- goto freeit;
++ goto drop;
+
+ /* Check the packet is aimed at us */
+ if (!ddp->deh_dnet) /* Net 0 is 'this network' */
+@@ -1455,7 +1455,7 @@ static int atalk_rcv(struct sk_buff *skb
+ * AppleTalk iface
+ */
+ atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- goto out;
++ return NET_RX_SUCCESS;
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1471,18 +1471,21 @@ static int atalk_rcv(struct sk_buff *skb
+
+ sock = atalk_search_socket(&tosat, atif);
+ if (!sock) /* But not one of our sockets */
+- goto freeit;
++ goto drop;
+
+ /* Queue packet (standard) */
+ skb->sk = sock;
+
+ if (sock_queue_rcv_skb(sock, skb) < 0)
+- goto freeit;
+-out:
+- return 0;
+-freeit:
++ goto drop;
++
++ return NET_RX_SUCCESS;
++
++drop:
+ kfree_skb(skb);
+- goto out;
++out:
++ return NET_RX_DROP;
++
+ }
+
+ /*
Added: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Fri Sep 25 19:11:34 2009 (r14297)
@@ -0,0 +1,2 @@
++ bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
++ bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
More information about the Kernel-svn-changes
mailing list