[kernel] r16557 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Mon Nov 15 03:12:26 UTC 2010 

Author: benh
Date: Mon Nov 15 03:12:15 2010
New Revision: 16557

Log:
x25: Fix remote denial-of-service vulnerabilities

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/28

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Mon Nov 15 02:43:36 2010	(r16556)
+++ dists/sid/linux-2.6/debian/changelog	Mon Nov 15 03:12:15 2010	(r16557)
@@ -40,6 +40,10 @@
   * [x86] applesmc, bcm5974, btusb, HID, mbp_nvidia_bl, snd-hda-codec-cirrus:
     Add support for MacBookAir 3,1 and 3,2 (Closes: #603395)
   * [x86] mbp_nvidia_bl: Add support for MacBookPro 7,1
+  * x25: Fix remote denial-of-service vulnerabilities:
+    - x25 accesses fields beyond end of packet
+    - memory corruption in X.25 facilities parsing (CVE-2010-3873)
+    - Prevent crashing when parsing bad X.25 facilities
 
   [ dann frazier ]
   * [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch	Mon Nov 15 03:12:15 2010	(r16557)
@@ -0,0 +1,187 @@
+From: John Hughes <john at calva.com>
+Date: Wed, 7 Apr 2010 21:29:25 -0700
+Subject: [PATCH] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+
+commit f5eb917b861828da18dc28854308068c66d1449a upstream.
+
+Here is a patch to stop X.25 examining fields beyond the end of the packet.
+
+For example, when a simple CALL ACCEPTED was received:
+
+	10 10 0f
+
+x25_parse_facilities was attempting to decode the FACILITIES field, but this
+packet contains no facilities field.
+
+Signed-off-by: John Hughes <john at calva.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/net/x25.h        |    4 +++
+ net/x25/af_x25.c         |   47 +++++++++++++++++++++++++++++++++++++++++++++-
+ net/x25/x25_facilities.c |   12 ++++++++++-
+ net/x25/x25_in.c         |   15 ++++++++++---
+ 4 files changed, 72 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/x25.h b/include/net/x25.h
+index 9baa07d..33f67fb 100644
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int  sysctl_x25_clear_request_timeout;
+ extern int  sysctl_x25_ack_holdback_timeout;
+ extern int  sysctl_x25_forward;
+ 
++extern int x25_parse_address_block(struct sk_buff *skb,
++		struct x25_address *called_addr,
++		struct x25_address *calling_addr);
++
+ extern int  x25_addr_ntoa(unsigned char *, struct x25_address *,
+ 			  struct x25_address *);
+ extern int  x25_addr_aton(unsigned char *, struct x25_address *,
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 9796f3e..fe26c01 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -82,6 +82,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+ 
++
++int x25_parse_address_block(struct sk_buff *skb,
++		struct x25_address *called_addr,
++		struct x25_address *calling_addr)
++{
++	unsigned char len;
++	int needed;
++	int rc;
++
++	if (skb->len < 1) {
++		/* packet has no address block */
++		rc = 0;
++		goto empty;
++	}
++
++	len = *skb->data;
++	needed = 1 + (len >> 4) + (len & 0x0f);
++
++	if (skb->len < needed) {
++		/* packet is too short to hold the addresses it claims
++		   to hold */
++		rc = -1;
++		goto empty;
++	}
++
++	return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++	*called_addr->x25_addr = 0;
++	*calling_addr->x25_addr = 0;
++
++	return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ 		  struct x25_address *calling_addr)
+ {
+@@ -921,16 +956,26 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
+ 	/*
+ 	 *	Extract the X.25 addresses and convert them to ASCII strings,
+ 	 *	and remove them.
++	 *
++	 *	Address block is mandatory in call request packets
+ 	 */
+-	addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++	addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++	if (addr_len <= 0)
++		goto out_clear_request;
+ 	skb_pull(skb, addr_len);
+ 
+ 	/*
+ 	 *	Get the length of the facilities, skip past them for the moment
+ 	 *	get the call user data because this is needed to determine
+ 	 *	the correct listener
++	 *
++	 *	Facilities length is mandatory in call request packets
+ 	 */
++	if (skb->len < 1)
++		goto out_clear_request;
+ 	len = skb->data[0] + 1;
++	if (skb->len < len)
++		goto out_clear_request;
+ 	skb_pull(skb,len);
+ 
+ 	/*
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a21f664..a2765c6 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 		struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ 	unsigned char *p = skb->data;
+-	unsigned int len = *p++;
++	unsigned int len;
+ 
+ 	*vc_fac_mask = 0;
+ 
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 	memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ 	memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+ 
++	if (skb->len < 1)
++		return 0;
++
++	len = *p++;
++
++	if (len >= skb->len)
++		return -1;
++
+ 	while (len > 0) {
+ 		switch (*p & X25_FAC_CLASS_MASK) {
+ 		case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
+ 	memcpy(new, ours, sizeof(*new));
+ 
+ 	len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++	if (len < 0)
++		return len;
+ 
+ 	/*
+ 	 *	They want reverse charging, we won't accept it.
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 96d9227..b39072f 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ 	struct x25_address source_addr, dest_addr;
++	int len;
+ 
+ 	switch (frametype) {
+ 		case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ 			 *	Parse the data in the frame.
+ 			 */
+ 			skb_pull(skb, X25_STD_MIN_LEN);
+-			skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+-			skb_pull(skb,
+-				 x25_parse_facilities(skb, &x25->facilities,
++
++			len = x25_parse_address_block(skb, &source_addr,
++						&dest_addr);
++			if (len > 0)
++				skb_pull(skb, len);
++
++			len = x25_parse_facilities(skb, &x25->facilities,
+ 						&x25->dte_facilities,
+-						&x25->vc_facil_mask));
++						&x25->vc_facil_mask);
++			if (len > 0)
++				skb_pull(skb, len);
+ 			/*
+ 			 *	Copy any Call User Data.
+ 			 */
+-- 
+1.7.2.3
+

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch	Mon Nov 15 03:12:15 2010	(r16557)
@@ -0,0 +1,75 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri, 12 Nov 2010 12:44:42 -0800
+Subject: [PATCH] x25: Prevent crashing when parsing bad X.25 facilities
+
+commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
+
+Now with improved comma support.
+
+On parsing malformed X.25 facilities, decrementing the remaining length
+may cause it to underflow.  Since the length is an unsigned integer,
+this will result in the loop continuing until the kernel crashes.
+
+This patch adds checks to ensure decrementing the remaining length does
+not cause it to wrap around.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/x25/x25_facilities.c |   12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 3a8c4c4..55187c8 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 	while (len > 0) {
+ 		switch (*p & X25_FAC_CLASS_MASK) {
+ 		case X25_FAC_CLASS_A:
++			if (len < 2)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_REVERSE:
+ 				if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 2;
+ 			break;
+ 		case X25_FAC_CLASS_B:
++			if (len < 3)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_PACKET_SIZE:
+ 				facilities->pacsize_in  = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 3;
+ 			break;
+ 		case X25_FAC_CLASS_C:
++			if (len < 4)
++				return 0;
+ 			printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ 			       "values %02X, %02X, %02X\n",
+ 			       p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 4;
+ 			break;
+ 		case X25_FAC_CLASS_D:
++			if (len < p[1] + 2)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_CALLING_AE:
+ 				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 				break;
+ 			default:
+ 				printk(KERN_DEBUG "X.25: unknown facility %02X,"
+-					"length %d, values %02X, %02X, "
+-					"%02X, %02X\n",
+-					p[0], p[1], p[2], p[3], p[4], p[5]);
++					"length %d\n", p[0], p[1]);
+ 				break;
+ 			}
+ 			len -= p[1] + 2;
+-- 
+1.7.2.3
+

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch	Mon Nov 15 03:12:15 2010	(r16557)
@@ -0,0 +1,54 @@
+From: andrew hendry <andrew.hendry at gmail.com>
+Date: Wed, 3 Nov 2010 12:54:53 +0000
+Subject: [PATCH] memory corruption in X.25 facilities parsing
+
+commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
+
+Signed-of-by: Andrew Hendry <andrew.hendry at gmail.com>
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/x25/x25_facilities.c |    8 ++++----
+ net/x25/x25_in.c         |    2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 771bab0..3a8c4c4 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 		case X25_FAC_CLASS_D:
+ 			switch (*p) {
+ 			case X25_FAC_CALLING_AE:
+-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+-					break;
++				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++					return 0;
+ 				dte_facs->calling_len = p[2];
+ 				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ 				*vc_fac_mask |= X25_MASK_CALLING_AE;
+ 				break;
+ 			case X25_FAC_CALLED_AE:
+-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+-					break;
++				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++					return 0;
+ 				dte_facs->called_len = p[2];
+ 				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ 				*vc_fac_mask |= X25_MASK_CALLED_AE;
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 6317896..f729f02 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ 						&x25->vc_facil_mask);
+ 			if (len > 0)
+ 				skb_pull(skb, len);
++			else
++				return -1;
+ 			/*
+ 			 *	Copy any Call User Data.
+ 			 */
+-- 
+1.7.2.3
+

Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28	Mon Nov 15 02:43:36 2010	(r16556)
+++ dists/sid/linux-2.6/debian/patches/series/28	Mon Nov 15 03:12:15 2010	(r16557)
@@ -35,3 +35,6 @@
 + features/x86/hwmon-applesmc-Add-MacBookAir3-1-3-2-support.patch
 + features/x86/input-bcm5974-Add-support-for-MacBookAir3.patch
 + features/x86/backlight-mbp_nvidia_bl-add-support-for-MacBookPro7-1.patch
++ bugfix/all/x25-Patch-to-fix-bug-15678-x25-accesses-fields-beyon.patch
++ bugfix/all/x25-memory-corruption-in-X.25-facilities-parsing.patch
++ bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch

More information about the Kernel-svn-changes mailing list