[kernel] r17931 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Aug 15 06:06:45 UTC 2011 

Author: dannf
Date: Mon Aug 15 06:06:44 2011
New Revision: 17931

Log:
gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug 15 06:06:38 2011	(r17930)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug 15 06:06:44 2011	(r17931)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.32-35squeeze1) UNRELEASED; urgency=high
+linux-2.6 (2.6.32-35squeeze2) UNRELEASED; urgency=high
 
   [ dann frazier ]
   * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
@@ -11,11 +11,12 @@
   * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
   * nl80211: fix check for valid SSID size in scan operations
   * net_sched: Fix qdisc_notify() (CVE-2011-2525)
+  * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
 
- -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:31:53 -0600
+ -- dann frazier <dannf at debian.org>  Mon, 15 Aug 2011 00:04:12 -0600
 
 linux-2.6 (2.6.32-35) stable; urgency=high
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch	Mon Aug 15 06:06:44 2011	(r17931)
@@ -0,0 +1,34 @@
+commit 17dd759c67f21e34f2156abcf415e1f60605a188
+Author: Herbert Xu <herbert at gondor.apana.org.au>
+Date:   Wed Jul 27 06:16:28 2011 -0700
+
+    gro: Only reset frag0 when skb can be pulled
+    
+    Currently skb_gro_header_slow unconditionally resets frag0 and
+    frag0_len.  However, when we can't pull on the skb this leaves
+    the GRO fields in an inconsistent state.
+    
+    This patch fixes this by only resetting those fields after the
+    pskb_may_pull test.
+    
+    Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc0..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ 					unsigned int offset)
+ {
++	if (!pskb_may_pull(skb, hlen))
++		return NULL;
++
+ 	NAPI_GRO_CB(skb)->frag0 = NULL;
+ 	NAPI_GRO_CB(skb)->frag0_len = 0;
+-	return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++	return skb->data + offset;
+ }
+ 
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 06:06:38 2011	(r17930)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Mon Aug 15 06:06:44 2011	(r17931)
@@ -13,3 +13,4 @@
 + bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
 + bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
 + bugfix/all/net_sched-Fix-qdisc_notify.patch
++ bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch

More information about the Kernel-svn-changes mailing list