[kernel] r17929 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Aug 15 06:06:28 2011
New Revision: 17929

Log:
net_sched: Fix qdisc_notify() (CVE-2011-2525)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug 15 03:52:57 2011	(r17928)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug 15 06:06:28 2011	(r17929)
@@ -10,6 +10,7 @@
   * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
   * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
   * nl80211: fix check for valid SSID size in scan operations
+  * net_sched: Fix qdisc_notify() (CVE-2011-2525)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch	Mon Aug 15 06:06:28 2011	(r17929)
@@ -0,0 +1,64 @@
+commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Sat May 22 20:37:44 2010 +0000
+
+    net_sched: Fix qdisc_notify()
+    
+    Ben Pfaff reported a kernel oops and provided a test program to
+    reproduce it.
+    
+    https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+    
+    tc_fill_qdisc() should not be called for builtin qdisc, or it
+    dereference a NULL pointer to get device ifindex.
+    
+    Fix is to always use tc_qdisc_dump_ignore() before calling
+    tc_fill_qdisc().
+    
+    Reported-by: Ben Pfaff <blp at nicira.com>
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 903e418..7c8c4b1 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1195,6 +1195,11 @@ nla_put_failure:
+ 	return -1;
+ }
+ 
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++	return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ 			u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ 	if (!skb)
+ 		return -ENOBUFS;
+ 
+-	if (old && old->handle) {
++	if (old && !tc_qdisc_dump_ignore(old)) {
+ 		if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ 			goto err_out;
+ 	}
+-	if (new) {
++	if (new && !tc_qdisc_dump_ignore(new)) {
+ 		if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ 			goto err_out;
+ 	}
+@@ -1222,11 +1227,6 @@ err_out:
+ 	return -EINVAL;
+ }
+ 
+-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+-{
+-	return (q->flags & TCQ_F_BUILTIN) ? true : false;
+-}
+-
+ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
+ 			      struct netlink_callback *cb,
+ 			      int *q_idx_p, int s_q_idx)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 03:52:57 2011	(r17928)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 06:06:28 2011	(r17929)
@@ -11,3 +11,4 @@
 + bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
 + bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
 + bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
++ bugfix/all/net_sched-Fix-qdisc_notify.patch