[kernel] r19143 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Tue Jun 12 22:59:51 2012
New Revision: 19143

Log:
net: sock: validate data_len before allocating skb in
sock_alloc_send_pskb() (CVE-2012-2136)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Tue Jun 12 22:50:02 2012	(r19142)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Jun 12 22:59:51 2012	(r19143)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.32-45squeeze1) UNRELEASED; urgency=low
+
+  * net: sock: validate data_len before allocating skb in
+    sock_alloc_send_pskb() (CVE-2012-2136)
+
+ -- dann frazier <dannf at debian.org>  Tue, 12 Jun 2012 16:56:29 -0600
+
 linux-2.6 (2.6.32-45) stable; urgency=high
 
   * Avoid ABI change on some archs due to a new #include in the

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch	Tue Jun 12 22:59:51 2012	(r19143)
@@ -0,0 +1,45 @@
+commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc
+Author: Jason Wang <jasowang at redhat.com>
+Date:   Wed May 30 21:18:10 2012 +0000
+
+    net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
+    
+    We need to validate the number of pages consumed by data_len, otherwise frags
+    array could be overflowed by userspace. So this patch validate data_len and
+    return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
+    
+    Signed-off-by: Jason Wang <jasowang at redhat.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 31e02d3..eb7de4f 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1396,6 +1396,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ 	gfp_t gfp_mask;
+ 	long timeo;
+ 	int err;
++	int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++	err = -EMSGSIZE;
++	if (npages > MAX_SKB_FRAGS)
++		goto failure;
+ 
+ 	gfp_mask = sk->sk_allocation;
+ 	if (gfp_mask & __GFP_WAIT)
+@@ -1414,14 +1419,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ 		if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ 			skb = alloc_skb(header_len, gfp_mask);
+ 			if (skb) {
+-				int npages;
+ 				int i;
+ 
+ 				/* No pages, we're done... */
+ 				if (!data_len)
+ 					break;
+ 
+-				npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ 				skb->truesize += data_len;
+ 				skb_shinfo(skb)->nr_frags = npages;
+ 				for (i = 0; i < npages; i++) {

Added: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1	Tue Jun 12 22:59:51 2012	(r19143)
@@ -0,0 +1 @@
++ bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch