[kernel] r17436 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue May 17 08:02:21 UTC 2011

Author: dannf
Date: Tue May 17 08:02:09 2011
New Revision: 17436

Log:
gre: fix netns vs proto registration ordering (CVE-2011-1767)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Tue May 17 07:22:37 2011	(r17435)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue May 17 08:02:09 2011	(r17436)
@@ -5,6 +5,7 @@
     - cifs: clean up cifs_find_smb_ses
     - cifs: fix NULL pointer dereference in cifs_find_smb_ses
     - cifs: check for NULL session password
+  * gre: fix netns vs proto registration ordering (CVE-2011-1767)
 
  -- dann frazier <dannf at debian.org>  Tue, 17 May 2011 00:41:07 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch	Tue May 17 08:02:09 2011	(r17436)
@@ -0,0 +1,65 @@
+commit c2892f02712e9516d72841d5c019ed6916329794
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date:   Tue Feb 16 07:57:44 2010 +0000
+
+    gre: fix netns vs proto registration ordering
+    
+    GRE protocol receive hook can be called right after protocol addition is done.
+    If netns stuff is not yet initialized, we're going to oops in
+    net_generic().
+    
+    This is remotely oopsable if ip_gre is compiled as module and packet
+    comes at unfortunate moment of module loading.
+    
+    Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/net/ipv4/ip_gre.c linux-source-2.6.32/net/ipv4/ip_gre.c
+--- linux-source-2.6.32.orig/net/ipv4/ip_gre.c	2011-05-03 09:29:08.000000000 -0600
++++ linux-source-2.6.32/net/ipv4/ip_gre.c	2011-05-17 01:27:46.115601639 -0600
+@@ -1665,14 +1665,15 @@ static int __init ipgre_init(void)
+ 
+ 	printk(KERN_INFO "GRE over IPv4 tunneling driver\n");
+ 
+-	if (inet_add_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) {
+-		printk(KERN_INFO "ipgre init: can't add protocol\n");
+-		return -EAGAIN;
+-	}
+-
+ 	err = register_pernet_gen_device(&ipgre_net_id, &ipgre_net_ops);
+ 	if (err < 0)
+-		goto gen_device_failed;
++		return err;
++
++	err = inet_add_protocol(&ipgre_protocol, IPPROTO_GRE);
++	if (err < 0) {
++		printk(KERN_INFO "ipgre init: can't add protocol\n");
++		goto add_proto_failed;
++	}
+ 
+ 	err = rtnl_link_register(&ipgre_link_ops);
+ 	if (err < 0)
+@@ -1688,9 +1689,9 @@ out:
+ tap_ops_failed:
+ 	rtnl_link_unregister(&ipgre_link_ops);
+ rtnl_link_failed:
+-	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+-gen_device_failed:
+ 	inet_del_protocol(&ipgre_protocol, IPPROTO_GRE);
++add_proto_failed:
++	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ 	goto out;
+ }
+ 
+@@ -1698,9 +1699,9 @@ static void __exit ipgre_fini(void)
+ {
+ 	rtnl_link_unregister(&ipgre_tap_ops);
+ 	rtnl_link_unregister(&ipgre_link_ops);
+-	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ 	if (inet_del_protocol(&ipgre_protocol, IPPROTO_GRE) < 0)
+ 		printk(KERN_INFO "ipgre close: can't remove protocol\n");
++	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ }
+ 
+ module_init(ipgre_init);

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Tue May 17 07:22:37 2011	(r17435)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Tue May 17 08:02:09 2011	(r17436)
@@ -2,3 +2,4 @@
 + bugfix/all/cifs-clean-up-cifs_find_smb_ses.patch
 + bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
 + bugfix/all/cifs-check-for-NULL-session-password.patch
++ bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch

