[kernel] r16568 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Nov 19 06:09:01 UTC 2010
Author: dannf
Date: Fri Nov 19 06:08:43 2010
New Revision: 16568
Log:
X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Nov 19 04:30:11 2010 (r16567)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Nov 19 06:08:43 2010 (r16568)
@@ -17,6 +17,7 @@
(CVE-2010-4080, CVE-2010-4081)
* V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)
* video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
+ * X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch Fri Nov 19 06:08:43 2010 (r16568)
@@ -0,0 +1,69 @@
+commit 912cc939a980785d6d285bde16e4a3e37cee9b33
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Nov 12 12:44:42 2010 -0800
+
+ x25: Prevent crashing when parsing bad X.25 facilities
+
+ Now with improved comma support.
+
+ On parsing malformed X.25 facilities, decrementing the remaining length
+ may cause it to underflow. Since the length is an unsigned integer,
+ this will result in the loop continuing until the kernel crashes.
+
+ This patch adds checks to ensure decrementing the remaining length does
+ not cause it to wrap around.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 79cf932..804afd3 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
++ if (len < 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_REVERSE:
+ if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 2;
+ break;
+ case X25_FAC_CLASS_B:
++ if (len < 3)
++ return 0;
+ switch (*p) {
+ case X25_FAC_PACKET_SIZE:
+ facilities->pacsize_in = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 3;
+ break;
+ case X25_FAC_CLASS_C:
++ if (len < 4)
++ return 0;
+ printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ "values %02X, %02X, %02X\n",
+ p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 4;
+ break;
+ case X25_FAC_CLASS_D:
++ if (len < p[1] + 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ break;
+ default:
+ printk(KERN_DEBUG "X.25: unknown facility %02X,"
+- "length %d, values %02X, %02X, "
+- "%02X, %02X\n",
+- p[0], p[1], p[2], p[3], p[4], p[5]);
++ "length %d\n", p[0], p[1]);
+ break;
+ }
+ len -= p[1] + 2;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Fri Nov 19 04:30:11 2010 (r16567)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Fri Nov 19 06:08:43 2010 (r16568)
@@ -15,3 +15,4 @@
+ bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
+ bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
+ bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
More information about the Kernel-svn-changes
mailing list