[kernel] r17929 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Aug 15 06:06:31 UTC 2011
Author: dannf
Date: Mon Aug 15 06:06:28 2011
New Revision: 17929
Log:
net_sched: Fix qdisc_notify() (CVE-2011-2525)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 15 03:52:57 2011 (r17928)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon Aug 15 06:06:28 2011 (r17929)
@@ -10,6 +10,7 @@
* vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
* Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
* nl80211: fix check for valid SSID size in scan operations
+ * net_sched: Fix qdisc_notify() (CVE-2011-2525)
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch Mon Aug 15 06:06:28 2011 (r17929)
@@ -0,0 +1,64 @@
+commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Sat May 22 20:37:44 2010 +0000
+
+ net_sched: Fix qdisc_notify()
+
+ Ben Pfaff reported a kernel oops and provided a test program to
+ reproduce it.
+
+ https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+
+ tc_fill_qdisc() should not be called for builtin qdisc, or it
+ dereference a NULL pointer to get device ifindex.
+
+ Fix is to always use tc_qdisc_dump_ignore() before calling
+ tc_fill_qdisc().
+
+ Reported-by: Ben Pfaff <blp at nicira.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 903e418..7c8c4b1 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1195,6 +1195,11 @@ nla_put_failure:
+ return -1;
+ }
+
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++ return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ if (!skb)
+ return -ENOBUFS;
+
+- if (old && old->handle) {
++ if (old && !tc_qdisc_dump_ignore(old)) {
+ if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ goto err_out;
+ }
+- if (new) {
++ if (new && !tc_qdisc_dump_ignore(new)) {
+ if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ goto err_out;
+ }
+@@ -1222,11 +1227,6 @@ err_out:
+ return -EINVAL;
+ }
+
+-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+-{
+- return (q->flags & TCQ_F_BUILTIN) ? true : false;
+-}
+-
+ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
+ struct netlink_callback *cb,
+ int *q_idx_p, int s_q_idx)
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 03:52:57 2011 (r17928)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Mon Aug 15 06:06:28 2011 (r17929)
@@ -11,3 +11,4 @@
+ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+ bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
+ bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
++ bugfix/all/net_sched-Fix-qdisc_notify.patch
More information about the Kernel-svn-changes
mailing list