Author: dannf
Date: Mon Apr 9 22:51:36 2007
New Revision: 8445
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/appletalk-endianness-annotations.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/appletalk-length-mismatch.dpatch
- copied unchanged from r8442,
dists/etch-security/linux-2.6/debian/patches/bugfix/appletalk-length-mismatch.patch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* appletalk-length-mismatch.dpatch
[SECURITY] Fix a remote DoS (crash) in appletalk
Depends upon appletalk-endianness-annotations.dpatch
See CVE-2007-1357
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Mon Apr 9 22:51:36 2007
@@ -62,8 +62,12 @@
[SECURITY] Fix a vulnerability that allows local users to read
otherwise unreadable (but executable) files by triggering a core dump.
See CVE-2007-0958
+ * appletalk-length-mismatch.dpatch
+ [SECURITY] Fix a remote DoS (crash) in appletalk
+ Depends upon appletalk-endianness-annotations.dpatch
+ See CVE-2007-1357
- -- dann frazier <[EMAIL PROTECTED]> Wed, 04 Apr 2007 01:47:54 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Mon, 09 Apr 2007 16:15:25 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/appletalk-endianness-annotations.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/appletalk-endianness-annotations.dpatch
Mon Apr 9 22:51:36 2007
@@ -0,0 +1,284 @@
+From: Al Viro <[EMAIL PROTECTED]>
+Date: Wed, 27 Sep 2006 04:22:08 +0000 (-0700)
+Subject: [ATALK]: endianness annotations
+X-Git-Tag: v2.6.19~1799^2~155
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=2a50f28c326d20ab4556be1b867ecddf6aefbb88
+
+[ATALK]: endianness annotations
+
+Signed-off-by: Al Viro <[EMAIL PROTECTED]>
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urN kernel-source-2.6.8.orig/drivers/net/appletalk/ipddp.c
kernel-source-2.6.8/drivers/net/appletalk/ipddp.c
+--- kernel-source-2.6.8.orig/drivers/net/appletalk/ipddp.c 2004-08-13
23:36:16.000000000 -0600
++++ kernel-source-2.6.8/drivers/net/appletalk/ipddp.c 2007-04-09
15:37:00.000000000 -0600
+@@ -146,9 +146,7 @@
+
+ /* Create the Extended DDP header */
+ ddp = (struct ddpehdr *)skb->data;
+- ddp->deh_len = skb->len;
+- ddp->deh_hops = 1;
+- ddp->deh_pad = 0;
++ ddp->deh_len_hops = htons(skb->len + (1<<10));
+ ddp->deh_sum = 0;
+
+ /*
+@@ -171,7 +169,6 @@
+ ddp->deh_sport = 72;
+
+ *((__u8 *)(ddp+1)) = 22; /* ddp type = IP */
+- *((__u16 *)ddp)=ntohs(*((__u16 *)ddp)); /* fix up length field
*/
+
+ skb->protocol = htons(ETH_P_ATALK); /* Protocol has changed */
+
+diff -urN kernel-source-2.6.8.orig/include/linux/atalk.h
kernel-source-2.6.8/include/linux/atalk.h
+--- kernel-source-2.6.8.orig/include/linux/atalk.h 2004-08-13
23:37:38.000000000 -0600
++++ kernel-source-2.6.8/include/linux/atalk.h 2007-04-09 15:37:44.000000000
-0600
+@@ -76,15 +76,7 @@
+ #include <asm/byteorder.h>
+
+ struct ddpehdr {
+-#ifdef __LITTLE_ENDIAN_BITFIELD
+- __u16 deh_len:10,
+- deh_hops:4,
+- deh_pad:2;
+-#else
+- __u16 deh_pad:2,
+- deh_hops:4,
+- deh_len:10;
+-#endif
++ __be16 deh_len_hops; /* lower 10 bits are length, next 4 - hops */
+ __u16 deh_sum;
+ __u16 deh_dnet;
+ __u16 deh_snet;
+@@ -100,36 +92,6 @@
+ return (struct ddpehdr *)skb->h.raw;
+ }
+
+-/*
+- * Don't drop the struct into the struct above. You'll get some
+- * surprise padding.
+- */
+-struct ddpebits {
+-#ifdef __LITTLE_ENDIAN_BITFIELD
+- __u16 deh_len:10,
+- deh_hops:4,
+- deh_pad:2;
+-#else
+- __u16 deh_pad:2,
+- deh_hops:4,
+- deh_len:10;
+-#endif
+-};
+-
+-/* Short form header */
+-struct ddpshdr {
+-#ifdef __LITTLE_ENDIAN_BITFIELD
+- __u16 dsh_len:10,
+- dsh_pad:6;
+-#else
+- __u16 dsh_pad:6,
+- dsh_len:10;
+-#endif
+- __u8 dsh_dport;
+- __u8 dsh_sport;
+- /* And netatalk apps expect to stick the type in themselves */
+-};
+-
+ /* AppleTalk AARP headers */
+ struct elapaarp {
+ __u16 hw_type;
+diff -urN kernel-source-2.6.8.orig/net/appletalk/ddp.c
kernel-source-2.6.8/net/appletalk/ddp.c
+--- kernel-source-2.6.8.orig/net/appletalk/ddp.c 2004-08-13
23:38:10.000000000 -0600
++++ kernel-source-2.6.8/net/appletalk/ddp.c 2007-04-09 15:38:50.000000000
-0600
+@@ -1020,7 +1020,7 @@
+ return sum;
+ }
+
+-static unsigned short atalk_checksum(const struct sk_buff *skb, int len)
++static __be16 atalk_checksum(const struct sk_buff *skb, int len)
+ {
+ unsigned long sum;
+
+@@ -1028,7 +1028,7 @@
+ sum = atalk_sum_skb(skb, 4, len-4, 0);
+
+ /* Use 0xFFFF for 0. 0 itself means none */
+- return sum ? htons((unsigned short)sum) : 0xFFFF;
++ return sum ? htons((unsigned short)sum) : htons(0xFFFF);
+ }
+
+ /*
+@@ -1309,7 +1309,7 @@
+ #endif
+
+ static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, struct ddpebits *ddphv,
++ struct ddpehdr *ddp, __u16 len_hops,
+ int origlen)
+ {
+ struct atalk_route *rt;
+@@ -1337,10 +1337,12 @@
+
+ /* Route the packet */
+ rt = atrtr_find(&ta);
+- if (!rt || ddphv->deh_hops == DDP_MAXHOPS)
++ /* increment hops count */
++ len_hops += 1 << 10;
++ if (!rt || !(len_hops & (15 << 10)))
+ goto free_it;
++
+ /* FIXME: use skb->cb to be able to use shared skbs */
+- ddphv->deh_hops++;
+
+ /*
+ * Route goes through another gateway, so set the target to the
+@@ -1355,11 +1357,10 @@
+ /* Fix up skb->len field */
+ skb_trim(skb, min_t(unsigned int, origlen,
+ (rt->dev->hard_header_len +
+- ddp_dl->header_length + ddphv->deh_len)));
++ ddp_dl->header_length + (len_hops & 1023))));
+
+- /* Mend the byte order */
+ /* FIXME: use skb->cb to be able to use shared skbs */
+- *((__u16 *)ddp) = ntohs(*((__u16 *)ddphv));
++ ddp->deh_len_hops = htons(len_hops);
+
+ /*
+ * Send the buffer onwards
+@@ -1414,7 +1415,7 @@
+ struct atalk_iface *atif;
+ struct sockaddr_at tosat;
+ int origlen;
+- struct ddpebits ddphv;
++ __u16 len_hops;
+
+ /* Don't mangle buffer if shared */
+ if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
+@@ -1426,16 +1427,11 @@
+
+ ddp = ddp_hdr(skb);
+
+- /*
+- * Fix up the length field [Ok this is horrible but otherwise
+- * I end up with unions of bit fields and messy bit field order
+- * compiler/endian dependencies..]
+- */
+- *((__u16 *)&ddphv) = ntohs(*((__u16 *)ddp));
++ len_hops = ntohs(ddp->deh_len_hops);
+
+ /* Trim buffer in case of stray trailing data */
+ origlen = skb->len;
+- skb_trim(skb, min_t(unsigned int, skb->len, ddphv.deh_len));
++ skb_trim(skb, min_t(unsigned int, skb->len, len_hops & 1023));
+
+ /*
+ * Size check to see if ddp->deh_len was crap
+@@ -1450,7 +1446,7 @@
+ * valid for net byte orders all over the networking code...
+ */
+ if (ddp->deh_sum &&
+- atalk_checksum(skb, ddphv.deh_len) != ddp->deh_sum)
++ atalk_checksum(skb, len_hops & 1023) != ddp->deh_sum)
+ /* Not a valid AppleTalk frame - dustbin time */
+ goto freeit;
+
+@@ -1462,7 +1458,7 @@
+
+ /* Not ours, so we route the packet via the correct AppleTalk iface */
+ if (!atif) {
+- atalk_route_packet(skb, dev, ddp, &ddphv, origlen);
++ atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ goto out;
+ }
+
+@@ -1507,7 +1503,7 @@
+ /* Find our address */
+ struct atalk_addr *ap = atalk_find_dev_addr(dev);
+
+- if (!ap || skb->len < sizeof(struct ddpshdr))
++ if (!ap || skb->len < sizeof(__be16) || skb->len > 1023)
+ goto freeit;
+
+ /* Don't mangle buffer if shared */
+@@ -1537,11 +1533,8 @@
+ /*
+ * Not sure about this bit...
+ */
+- ddp->deh_len = skb->len;
+- ddp->deh_hops = DDP_MAXHOPS; /* Non routable, so force a drop
+- if we slip up later */
+- /* Mend the byte order */
+- *((__u16 *)ddp) = htons(*((__u16 *)ddp));
++ /* Non routable, so force a drop if we slip up later */
++ ddp->deh_len_hops = htons(skb->len + (DDP_MAXHOPS << 10));
+ }
+ skb->h.raw = skb->data;
+
+@@ -1642,16 +1635,7 @@
+ SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+
+ ddp = (struct ddpehdr *)skb_put(skb, sizeof(struct ddpehdr));
+- ddp->deh_pad = 0;
+- ddp->deh_hops = 0;
+- ddp->deh_len = len + sizeof(*ddp);
+- /*
+- * Fix up the length field [Ok this is horrible but otherwise
+- * I end up with unions of bit fields and messy bit field order
+- * compiler/endian dependencies..
+- */
+- *((__u16 *)ddp) = ntohs(*((__u16 *)ddp));
+-
++ ddp->deh_len_hops = htons(len + sizeof(*ddp));
+ ddp->deh_dnet = usat->sat_addr.s_net;
+ ddp->deh_snet = at->src_net;
+ ddp->deh_dnode = usat->sat_addr.s_node;
+@@ -1718,8 +1702,8 @@
+ struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name;
+ struct ddpehdr *ddp;
+ int copied = 0;
++ int offset = 0;
+ int err = 0;
+- struct ddpebits ddphv;
+ struct sk_buff *skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
+@@ -1727,25 +1711,18 @@
+
+ /* FIXME: use skb->cb to be able to use shared skbs */
+ ddp = ddp_hdr(skb);
+- *((__u16 *)&ddphv) = ntohs(*((__u16 *)ddp));
++ copied = ntohs(ddp->deh_len_hops) & 1023;
+
+- if (sk->sk_type == SOCK_RAW) {
+- copied = ddphv.deh_len;
+- if (copied > size) {
+- copied = size;
+- msg->msg_flags |= MSG_TRUNC;
+- }
++ if (sk->sk_type != SOCK_RAW) {
++ offset = sizeof(*ddp);
++ copied -= offset;
++ }
+
+- err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+- } else {
+- copied = ddphv.deh_len - sizeof(*ddp);
+- if (copied > size) {
+- copied = size;
+- msg->msg_flags |= MSG_TRUNC;
+- }
+- err = skb_copy_datagram_iovec(skb, sizeof(*ddp),
+- msg->msg_iov, copied);
++ if (copied > size) {
++ copied = size;
++ msg->msg_flags |= MSG_TRUNC;
+ }
++ err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied);
+
+ if (!err) {
+ if (sat) {
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Mon Apr 9 22:51:36 2007
@@ -12,3 +12,5 @@
+ hfs-no-root-inode.dpatch
+ ipv6_fl_socklist-no-share.dpatch
+ core-dump-unreadable-PT_INTERP.dpatch
++ appletalk-endianness-annotations.dpatch
++ appletalk-length-mismatch.dpatch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
