[kernel] r16557 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Nov 15 03:12:26 UTC 2010
Author: benh
Date: Mon Nov 15 03:12:15 2010
New Revision: 16557
Log:
x25: Fix remote denial-of-service vulnerabilities
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/28
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Mon Nov 15 02:43:36 2010 (r16556)
+++ dists/sid/linux-2.6/debian/changelog Mon Nov 15 03:12:15 2010 (r16557)
@@ -40,6 +40,10 @@
* [x86] applesmc, bcm5974, btusb, HID, mbp_nvidia_bl, snd-hda-codec-cirrus:
Add support for MacBookAir 3,1 and 3,2 (Closes: #603395)
* [x86] mbp_nvidia_bl: Add support for MacBookPro 7,1
+ * x25: Fix remote denial-of-service vulnerabilities:
+ - x25 accesses fields beyond end of packet
+ - memory corruption in X.25 facilities parsing (CVE-2010-3873)
+ - Prevent crashing when parsing bad X.25 facilities
[ dann frazier ]
* [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch Mon Nov 15 03:12:15 2010 (r16557)
@@ -0,0 +1,187 @@
+From: John Hughes <john at calva.com>
+Date: Wed, 7 Apr 2010 21:29:25 -0700
+Subject: [PATCH] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+
+commit f5eb917b861828da18dc28854308068c66d1449a upstream.
+
+Here is a patch to stop X.25 examining fields beyond the end of the packet.
+
+For example, when a simple CALL ACCEPTED was received:
+
+ 10 10 0f
+
+x25_parse_facilities was attempting to decode the FACILITIES field, but this
+packet contains no facilities field.
+
+Signed-off-by: John Hughes <john at calva.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/net/x25.h | 4 +++
+ net/x25/af_x25.c | 47 +++++++++++++++++++++++++++++++++++++++++++++-
+ net/x25/x25_facilities.c | 12 ++++++++++-
+ net/x25/x25_in.c | 15 ++++++++++---
+ 4 files changed, 72 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/x25.h b/include/net/x25.h
+index 9baa07d..33f67fb 100644
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_timeout;
+ extern int sysctl_x25_ack_holdback_timeout;
+ extern int sysctl_x25_forward;
+
++extern int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr);
++
+ extern int x25_addr_ntoa(unsigned char *, struct x25_address *,
+ struct x25_address *);
+ extern int x25_addr_aton(unsigned char *, struct x25_address *,
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 9796f3e..fe26c01 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -82,6 +82,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+
++
++int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr)
++{
++ unsigned char len;
++ int needed;
++ int rc;
++
++ if (skb->len < 1) {
++ /* packet has no address block */
++ rc = 0;
++ goto empty;
++ }
++
++ len = *skb->data;
++ needed = 1 + (len >> 4) + (len & 0x0f);
++
++ if (skb->len < needed) {
++ /* packet is too short to hold the addresses it claims
++ to hold */
++ rc = -1;
++ goto empty;
++ }
++
++ return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++ *called_addr->x25_addr = 0;
++ *calling_addr->x25_addr = 0;
++
++ return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ struct x25_address *calling_addr)
+ {
+@@ -921,16 +956,26 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
+ /*
+ * Extract the X.25 addresses and convert them to ASCII strings,
+ * and remove them.
++ *
++ * Address block is mandatory in call request packets
+ */
+- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++ if (addr_len <= 0)
++ goto out_clear_request;
+ skb_pull(skb, addr_len);
+
+ /*
+ * Get the length of the facilities, skip past them for the moment
+ * get the call user data because this is needed to determine
+ * the correct listener
++ *
++ * Facilities length is mandatory in call request packets
+ */
++ if (skb->len < 1)
++ goto out_clear_request;
+ len = skb->data[0] + 1;
++ if (skb->len < len)
++ goto out_clear_request;
+ skb_pull(skb,len);
+
+ /*
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a21f664..a2765c6 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ unsigned char *p = skb->data;
+- unsigned int len = *p++;
++ unsigned int len;
+
+ *vc_fac_mask = 0;
+
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+
++ if (skb->len < 1)
++ return 0;
++
++ len = *p++;
++
++ if (len >= skb->len)
++ return -1;
++
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
+ memcpy(new, ours, sizeof(*new));
+
+ len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++ if (len < 0)
++ return len;
+
+ /*
+ * They want reverse charging, we won't accept it.
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 96d9227..b39072f 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ struct x25_address source_addr, dest_addr;
++ int len;
+
+ switch (frametype) {
+ case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ * Parse the data in the frame.
+ */
+ skb_pull(skb, X25_STD_MIN_LEN);
+- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+- skb_pull(skb,
+- x25_parse_facilities(skb, &x25->facilities,
++
++ len = x25_parse_address_block(skb, &source_addr,
++ &dest_addr);
++ if (len > 0)
++ skb_pull(skb, len);
++
++ len = x25_parse_facilities(skb, &x25->facilities,
+ &x25->dte_facilities,
+- &x25->vc_facil_mask));
++ &x25->vc_facil_mask);
++ if (len > 0)
++ skb_pull(skb, len);
+ /*
+ * Copy any Call User Data.
+ */
+--
+1.7.2.3
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch Mon Nov 15 03:12:15 2010 (r16557)
@@ -0,0 +1,75 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri, 12 Nov 2010 12:44:42 -0800
+Subject: [PATCH] x25: Prevent crashing when parsing bad X.25 facilities
+
+commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
+
+Now with improved comma support.
+
+On parsing malformed X.25 facilities, decrementing the remaining length
+may cause it to underflow. Since the length is an unsigned integer,
+this will result in the loop continuing until the kernel crashes.
+
+This patch adds checks to ensure decrementing the remaining length does
+not cause it to wrap around.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/x25/x25_facilities.c | 12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 3a8c4c4..55187c8 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
++ if (len < 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_REVERSE:
+ if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 2;
+ break;
+ case X25_FAC_CLASS_B:
++ if (len < 3)
++ return 0;
+ switch (*p) {
+ case X25_FAC_PACKET_SIZE:
+ facilities->pacsize_in = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 3;
+ break;
+ case X25_FAC_CLASS_C:
++ if (len < 4)
++ return 0;
+ printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ "values %02X, %02X, %02X\n",
+ p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 4;
+ break;
+ case X25_FAC_CLASS_D:
++ if (len < p[1] + 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ break;
+ default:
+ printk(KERN_DEBUG "X.25: unknown facility %02X,"
+- "length %d, values %02X, %02X, "
+- "%02X, %02X\n",
+- p[0], p[1], p[2], p[3], p[4], p[5]);
++ "length %d\n", p[0], p[1]);
+ break;
+ }
+ len -= p[1] + 2;
+--
+1.7.2.3
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch Mon Nov 15 03:12:15 2010 (r16557)
@@ -0,0 +1,54 @@
+From: andrew hendry <andrew.hendry at gmail.com>
+Date: Wed, 3 Nov 2010 12:54:53 +0000
+Subject: [PATCH] memory corruption in X.25 facilities parsing
+
+commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
+
+Signed-of-by: Andrew Hendry <andrew.hendry at gmail.com>
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/x25/x25_facilities.c | 8 ++++----
+ net/x25/x25_in.c | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 771bab0..3a8c4c4 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ case X25_FAC_CLASS_D:
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->calling_len = p[2];
+ memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLING_AE;
+ break;
+ case X25_FAC_CALLED_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->called_len = p[2];
+ memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLED_AE;
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 6317896..f729f02 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ &x25->vc_facil_mask);
+ if (len > 0)
+ skb_pull(skb, len);
++ else
++ return -1;
+ /*
+ * Copy any Call User Data.
+ */
+--
+1.7.2.3
+
Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28 Mon Nov 15 02:43:36 2010 (r16556)
+++ dists/sid/linux-2.6/debian/patches/series/28 Mon Nov 15 03:12:15 2010 (r16557)
@@ -35,3 +35,6 @@
+ features/x86/hwmon-applesmc-Add-MacBookAir3-1-3-2-support.patch
+ features/x86/input-bcm5974-Add-support-for-MacBookAir3.patch
+ features/x86/backlight-mbp_nvidia_bl-add-support-for-MacBookPro7-1.patch
++ bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
++ bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
++ bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
More information about the Kernel-svn-changes
mailing list