[kernel] r17611 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Jun  6 03:01:26 2011
New Revision: 17611

Log:
gre: fix netns vs proto registration ordering (CVE-2011-1767)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 01:26:55 2011	(r17610)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 03:01:26 2011	(r17611)
@@ -39,6 +39,7 @@
   * agp: fix OOM and buffer overflow (CVE-2011-1746)
   * can: Add missing socket check in can/raw release (CVE-2011-1748)
   * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
+  * gre: fix netns vs proto registration ordering (CVE-2011-1767)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch	Mon Jun  6 03:01:26 2011	(r17611)
@@ -0,0 +1,49 @@
+commit c2892f02712e9516d72841d5c019ed6916329794
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date:   Tue Feb 16 07:57:44 2010 +0000
+
+    gre: fix netns vs proto registration ordering
+    
+    GRE protocol receive hook can be called right after protocol addition is done.
+    If netns stuff is not yet initialized, we're going to oops in
+    net_generic().
+    
+    This is remotely oopsable if ip_gre is compiled as module and packet
+    comes at unfortunate moment of module loading.
+    
+    Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/ipv4/ip_gre.c linux-source-2.6.26/net/ipv4/ip_gre.c
+--- linux-source-2.6.26.orig/net/ipv4/ip_gre.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv4/ip_gre.c	2011-06-05 19:39:48.411064447 -0600
+@@ -1235,16 +1235,22 @@ static int __init ipgre_init(void)
+ 
+ 	printk(KERN_INFO "GRE over IPv4 tunneling driver\n");
+ 
+-	if (inet_add_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) {
+-		printk(KERN_INFO "ipgre init: can't add protocol\n");
+-		return -EAGAIN;
+-	}
+-
+ 	err = register_pernet_gen_device(&ipgre_net_id, &ipgre_net_ops);
+ 	if (err < 0)
+-		inet_del_protocol(&ipgre_protocol, IPPROTO_GRE);
++		return err;
+ 
++	err = inet_add_protocol(&ipgre_protocol, IPPROTO_GRE);
++	if (err < 0) {
++		printk(KERN_INFO "ipgre init: can't add protocol\n");
++		goto add_proto_failed;
++	}
++
++ out:
+ 	return err;
++
++ add_proto_failed:
++	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
++	goto out;
+ }
+ 
+ static void __exit ipgre_fini(void)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 01:26:55 2011	(r17610)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 03:01:26 2011	(r17611)
@@ -37,3 +37,4 @@
 + bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
 + bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
 + bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
++ bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch