[kernel] r16537 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 8 15:12:01 UTC 2010 

Author: dannf
Date: Mon Nov  8 15:11:54 2010
New Revision: 16537

Log:
X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Nov  8 10:40:21 2010	(r16536)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Nov  8 15:11:54 2010	(r16537)
@@ -11,6 +11,7 @@
   * thinkpad-acpi: lock down video output state access (CVE-2010-3448)
   * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
   * setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
+  * X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch	Mon Nov  8 15:11:54 2010	(r16537)
@@ -0,0 +1,178 @@
+commit f5eb917b861828da18dc28854308068c66d1449a
+Author: John Hughes <john at calva.com>
+Date:   Wed Apr 7 21:29:25 2010 -0700
+
+    x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+    
+    Here is a patch to stop X.25 examining fields beyond the end of the packet.
+    
+    For example, when a simple CALL ACCEPTED was received:
+    
+    	10 10 0f
+    
+    x25_parse_facilities was attempting to decode the FACILITIES field, but this
+    packet contains no facilities field.
+    
+    Signed-off-by: John Hughes <john at calva.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/net/x25.h b/include/net/x25.h
+index 9baa07d..33f67fb 100644
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int  sysctl_x25_clear_request_timeout;
+ extern int  sysctl_x25_ack_holdback_timeout;
+ extern int  sysctl_x25_forward;
+ 
++extern int x25_parse_address_block(struct sk_buff *skb,
++		struct x25_address *called_addr,
++		struct x25_address *calling_addr);
++
+ extern int  x25_addr_ntoa(unsigned char *, struct x25_address *,
+ 			  struct x25_address *);
+ extern int  x25_addr_aton(unsigned char *, struct x25_address *,
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 9796f3e..fe26c01 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -82,6 +82,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+ 
++
++int x25_parse_address_block(struct sk_buff *skb,
++		struct x25_address *called_addr,
++		struct x25_address *calling_addr)
++{
++	unsigned char len;
++	int needed;
++	int rc;
++
++	if (skb->len < 1) {
++		/* packet has no address block */
++		rc = 0;
++		goto empty;
++	}
++
++	len = *skb->data;
++	needed = 1 + (len >> 4) + (len & 0x0f);
++
++	if (skb->len < needed) {
++		/* packet is too short to hold the addresses it claims
++		   to hold */
++		rc = -1;
++		goto empty;
++	}
++
++	return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++	*called_addr->x25_addr = 0;
++	*calling_addr->x25_addr = 0;
++
++	return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ 		  struct x25_address *calling_addr)
+ {
+@@ -921,16 +956,26 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
+ 	/*
+ 	 *	Extract the X.25 addresses and convert them to ASCII strings,
+ 	 *	and remove them.
++	 *
++	 *	Address block is mandatory in call request packets
+ 	 */
+-	addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++	addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++	if (addr_len <= 0)
++		goto out_clear_request;
+ 	skb_pull(skb, addr_len);
+ 
+ 	/*
+ 	 *	Get the length of the facilities, skip past them for the moment
+ 	 *	get the call user data because this is needed to determine
+ 	 *	the correct listener
++	 *
++	 *	Facilities length is mandatory in call request packets
+ 	 */
++	if (skb->len < 1)
++		goto out_clear_request;
+ 	len = skb->data[0] + 1;
++	if (skb->len < len)
++		goto out_clear_request;
+ 	skb_pull(skb,len);
+ 
+ 	/*
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a21f664..a2765c6 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 		struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ 	unsigned char *p = skb->data;
+-	unsigned int len = *p++;
++	unsigned int len;
+ 
+ 	*vc_fac_mask = 0;
+ 
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 	memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ 	memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+ 
++	if (skb->len < 1)
++		return 0;
++
++	len = *p++;
++
++	if (len >= skb->len)
++		return -1;
++
+ 	while (len > 0) {
+ 		switch (*p & X25_FAC_CLASS_MASK) {
+ 		case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
+ 	memcpy(new, ours, sizeof(*new));
+ 
+ 	len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++	if (len < 0)
++		return len;
+ 
+ 	/*
+ 	 *	They want reverse charging, we won't accept it.
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 96d9227..b39072f 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ 	struct x25_address source_addr, dest_addr;
++	int len;
+ 
+ 	switch (frametype) {
+ 		case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ 			 *	Parse the data in the frame.
+ 			 */
+ 			skb_pull(skb, X25_STD_MIN_LEN);
+-			skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+-			skb_pull(skb,
+-				 x25_parse_facilities(skb, &x25->facilities,
++
++			len = x25_parse_address_block(skb, &source_addr,
++						&dest_addr);
++			if (len > 0)
++				skb_pull(skb, len);
++
++			len = x25_parse_facilities(skb, &x25->facilities,
+ 						&x25->dte_facilities,
+-						&x25->vc_facil_mask));
++						&x25->vc_facil_mask);
++			if (len > 0)
++				skb_pull(skb, len);
+ 			/*
+ 			 *	Copy any Call User Data.
+ 			 */

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch	Mon Nov  8 15:11:54 2010	(r16537)
@@ -0,0 +1,47 @@
+commit 5dc84345aee17d6e4feda954e0fd835c95120b5c
+Author: andrew hendry <andrew.hendry at gmail.com>
+Date:   Wed Nov 3 12:54:53 2010 +0000
+
+    memory corruption in X.25 facilities parsing
+    
+    Signed-of-by: Andrew Hendry <andrew.hendry at gmail.com>
+    
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a2765c6..79cf932 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 		case X25_FAC_CLASS_D:
+ 			switch (*p) {
+ 			case X25_FAC_CALLING_AE:
+-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+-					break;
++				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++					return 0;
+ 				dte_facs->calling_len = p[2];
+ 				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ 				*vc_fac_mask |= X25_MASK_CALLING_AE;
+ 				break;
+ 			case X25_FAC_CALLED_AE:
+-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+-					break;
++				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++					return 0;
+ 				dte_facs->called_len = p[2];
+ 				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ 				*vc_fac_mask |= X25_MASK_CALLED_AE;
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 5695065..88d7652 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -118,6 +118,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ 						&x25->vc_facil_mask);
+ 			if (len > 0)
+ 				skb_pull(skb, len);
++			else
++				return -1;
+ 			/*
+ 			 *	Copy any Call User Data.
+ 			 */

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Nov  8 10:40:21 2010	(r16536)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Nov  8 15:11:54 2010	(r16537)
@@ -9,3 +9,5 @@
 + bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
 + bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 + bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
++ bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
++ bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch

More information about the Kernel-svn-changes mailing list