[kernel] r16568 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Nov 19 06:09:01 UTC 2010 

Author: dannf
Date: Fri Nov 19 06:08:43 2010
New Revision: 16568

Log:
X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Nov 19 04:30:11 2010	(r16567)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Nov 19 06:08:43 2010	(r16568)
@@ -17,6 +17,7 @@
     (CVE-2010-4080, CVE-2010-4081)
   * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)
   * video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
+  * X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch	Fri Nov 19 06:08:43 2010	(r16568)
@@ -0,0 +1,69 @@
+commit 912cc939a980785d6d285bde16e4a3e37cee9b33
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri Nov 12 12:44:42 2010 -0800
+
+    x25: Prevent crashing when parsing bad X.25 facilities
+    
+    Now with improved comma support.
+    
+    On parsing malformed X.25 facilities, decrementing the remaining length
+    may cause it to underflow.  Since the length is an unsigned integer,
+    this will result in the loop continuing until the kernel crashes.
+    
+    This patch adds checks to ensure decrementing the remaining length does
+    not cause it to wrap around.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 79cf932..804afd3 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 	while (len > 0) {
+ 		switch (*p & X25_FAC_CLASS_MASK) {
+ 		case X25_FAC_CLASS_A:
++			if (len < 2)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_REVERSE:
+ 				if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 2;
+ 			break;
+ 		case X25_FAC_CLASS_B:
++			if (len < 3)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_PACKET_SIZE:
+ 				facilities->pacsize_in  = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 3;
+ 			break;
+ 		case X25_FAC_CLASS_C:
++			if (len < 4)
++				return 0;
+ 			printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ 			       "values %02X, %02X, %02X\n",
+ 			       p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 			len -= 4;
+ 			break;
+ 		case X25_FAC_CLASS_D:
++			if (len < p[1] + 2)
++				return 0;
+ 			switch (*p) {
+ 			case X25_FAC_CALLING_AE:
+ 				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ 				break;
+ 			default:
+ 				printk(KERN_DEBUG "X.25: unknown facility %02X,"
+-					"length %d, values %02X, %02X, "
+-					"%02X, %02X\n",
+-					p[0], p[1], p[2], p[3], p[4], p[5]);
++					"length %d\n", p[0], p[1]);
+ 				break;
+ 			}
+ 			len -= p[1] + 2;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Fri Nov 19 04:30:11 2010	(r16567)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Fri Nov 19 06:08:43 2010	(r16568)
@@ -15,3 +15,4 @@
 + bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
 + bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch

More information about the Kernel-svn-changes mailing list