[kernel] r14962 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Jan 21 05:50:37 UTC 2010 

Author: dannf
Date: Thu Jan 21 05:50:34 2010
New Revision: 14962

Log:
mac80211: fix spurious delBA handling (CVE-2009-4027)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Jan 21 01:12:08 2010	(r14961)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Jan 21 05:50:34 2010	(r14962)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-21lenny1) UNRELEASED; urgency=high
+
+  * mac80211: fix spurious delBA handling (CVE-2009-4027)
+
+ -- dann frazier <dannf at debian.org>  Tue, 19 Jan 2010 22:24:31 -0700
+
 linux-2.6 (2.6.26-21) stable; urgency=high
 
   [ Ben Hutchings ]

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch	Thu Jan 21 05:50:34 2010	(r14962)
@@ -0,0 +1,120 @@
+commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date:   Sun Nov 22 12:28:41 2009 +0100
+
+    mac80211: fix spurious delBA handling
+    
+    Lennert Buytenhek noticed that delBA handling in mac80211
+    was broken and has remotely triggerable problems, some of
+    which are due to some code shuffling I did that ended up
+    changing the order in which things were done -- this was
+    
+      commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+      Author: Johannes Berg <johannes at sipsolutions.net>
+      Date:   Tue Feb 10 21:25:53 2009 +0100
+    
+        mac80211: RX aggregation: clean up stop session
+    
+    and other parts were already present in the original
+    
+      commit d92684e66091c0f0101819619b315b4bb8b5bcc5
+      Author: Ron Rindjunsky <ron.rindjunsky at intel.com>
+      Date:   Mon Jan 28 14:07:22 2008 +0200
+    
+          mac80211: A-MPDU Tx add delBA from recipient support
+    
+    The first problem is that I moved a BUG_ON before various
+    checks -- thereby making it possible to hit. As the comment
+    indicates, the BUG_ON can be removed since the ampdu_action
+    callback must already exist when the state is != IDLE.
+    
+    The second problem isn't easily exploitable but there's a
+    race condition due to unconditionally setting the state to
+    OPERATIONAL when a delBA frame is received, even when no
+    aggregation session was ever initiated. All the drivers
+    accept stopping the session even then, but that opens a
+    race window where crashes could happen before the driver
+    accepts it. Right now, a WARN_ON may happen with non-HT
+    drivers, while the race opens only for HT drivers.
+    
+    For this case, there are two things necessary to fix it:
+     1) don't process spurious delBA frames, and be more careful
+        about the session state; don't drop the lock
+    
+     2) HT drivers need to be prepared to handle a session stop
+        even before the session was really started -- this is
+        true for all drivers (that support aggregation) but
+        iwlwifi which can be fixed easily. The other HT drivers
+        (ath9k and ar9170) are behaving properly already.
+    
+    Reported-by: Lennert Buytenhek <buytenh at marvell.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+    Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+Second case backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/wireless/iwlwifi/iwl-4965.c linux-source-2.6.26/drivers/net/wireless/iwlwifi/iwl-4965.c
+--- linux-source-2.6.26.orig/drivers/net/wireless/iwlwifi/iwl-4965.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/wireless/iwlwifi/iwl-4965.c	2010-01-19 21:54:16.000000000 -0700
+@@ -4842,8 +4842,16 @@ static int iwl4965_mac_ht_tx_agg_stop(st
+ 	if (sta_id == IWL_INVALID_STATION)
+ 		return -ENXIO;
+ 
++	if (priv->stations[sta_id].tid[tid].agg.state ==
++				IWL_EMPTYING_HW_QUEUE_ADDBA) {
++		IWL_DEBUG_HT("AGG stop before setup done\n");
++		ieee80211_stop_tx_ba_cb_irqsafe(priv->hw, da, tid);
++		priv->stations[sta_id].tid[tid].agg.state = IWL_AGG_OFF;
++		return 0;
++	}
++
+ 	if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_ON)
+-		IWL_WARNING("Stopping AGG while state not IWL_AGG_ON\n");
++		IWL_WARNING("Stopping AGG while state not ON or starting\n");
+ 
+ 	tid_data = &priv->stations[sta_id].tid[tid];
+ 	ssn = (tid_data->seq_number & IEEE80211_SCTL_SEQ) >> 4;
+diff -urpN linux-source-2.6.26.orig/include/net/mac80211.h linux-source-2.6.26/include/net/mac80211.h
+--- linux-source-2.6.26.orig/include/net/mac80211.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/net/mac80211.h	2010-01-19 21:46:53.000000000 -0700
+@@ -957,6 +957,12 @@ enum ieee80211_filter_flags {
+  *
+  * These flags are used with the ampdu_action() callback in
+  * &struct ieee80211_ops to indicate which action is needed.
++ *
++ * Note that drivers MUST be able to deal with a TX aggregation
++ * session being stopped even before they OK'ed starting it by
++ * calling ieee80211_start_tx_ba_cb(_irqsafe), because the peer
++ * might receive the addBA frame and send a delBA right away!
++ *
+  * @IEEE80211_AMPDU_RX_START: start Rx aggregation
+  * @IEEE80211_AMPDU_RX_STOP: stop Rx aggregation
+  * @IEEE80211_AMPDU_TX_START: start Tx aggregation
+--- linux-source-2.6.26.orig/net/mac80211/mlme.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/mac80211/mlme.c	2010-01-20 17:29:08.000000000 -0700
+@@ -1597,11 +1597,20 @@
+ 						 WLAN_BACK_INITIATOR, 0);
+ 	else { /* WLAN_BACK_RECIPIENT */
+ 		spin_lock_bh(&sta->ampdu_mlme.ampdu_tx);
+-		sta->ampdu_mlme.tid_state_tx[tid] =
+-				HT_AGG_STATE_OPERATIONAL;
++		if (sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK) {
++			u8 *state = &sta->ampdu_mlme.tid_state_tx[tid];
++
++			if (*state == HT_AGG_STATE_OPERATIONAL)
++				sta->ampdu_mlme.tid_state_tx[tid] = 0;
++
++			*state = HT_AGG_STATE_REQ_STOP_BA_MSK |
++				(WLAN_BACK_RECIPIENT << HT_AGG_STATE_INITIATOR_SHIFT);
++
++			if (local->ops->ampdu_action)
++				local->ops->ampdu_action(&local->hw, IEEE80211_AMPDU_TX_STOP,
++							 sta->addr, tid, NULL);
++		}
+ 		spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
+-		ieee80211_stop_tx_ba_session(&local->hw, sta->addr, tid,
+-					     WLAN_BACK_RECIPIENT);
+ 	}
+ 	rcu_read_unlock();
+ }

Added: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1	Thu Jan 21 05:50:34 2010	(r14962)
@@ -0,0 +1 @@
++ bugfix/all/mac80211-fix-spurious-delBA-handling.patch

More information about the Kernel-svn-changes mailing list