series

Dann Frazier Mon, 30 Apr 2007 18:48:39 -0700

Author: dannf
Date: Tue May  1 01:48:31 2007
New Revision: 8531

Added:
   
dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/netlink-infinite-recursion.patch
  [SECURITY] Fix infinite recursion bug in netlink
  See CVE-2007-1861


Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Tue May  1 01:48:31 2007
@@ -8,8 +8,11 @@
     [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
     which allows remote attackers to bypass certain rulesets
     See CVE-2007-1497
+  * bugfix/netlink-infinite-recursion.patch
+    [SECURITY] Fix infinite recursion bug in netlink
+    See CVE-2007-1861
 
- -- dann frazier <[EMAIL PROTECTED]>  Mon, 30 Apr 2007 17:30:17 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Mon, 30 Apr 2007 19:45:38 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/netlink-infinite-recursion.patch
        Tue May  1 01:48:31 2007
@@ -0,0 +1,66 @@
+From: Alexey Kuznetsov <[EMAIL PROTECTED]>
+Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000)
+Subject: [PATCH] NETLINK: Infinite recursion in netlink.
+X-Git-Tag: v2.6.20.8~1
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad
+
+[PATCH] NETLINK: Infinite recursion in netlink.
+
+[NETLINK]: Infinite recursion in netlink.
+
+Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
+which resulted in infinite recursion and stack overflow.
+
+The bug is present in all kernel versions since the feature appeared.
+
+The patch also makes some minimal cleanup:
+
+1. Return something consistent (-ENOENT) when fib table is missing
+2. Do not crash when queue is empty (does not happen, but yet)
+3. Put result of lookup
+
+Signed-off-by: Alexey Kuznetsov <[EMAIL PROTECTED]>
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index d47b72a..fa2cb8c 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -772,6 +772,8 @@ static void nl_fib_lookup(struct fib_result_nl *frn, 
struct fib_table *tb )
+                                      .nl_u = { .ip4_u = { .daddr = 
frn->fl_addr,
+                                                           .tos = frn->fl_tos,
+                                                           .scope = 
frn->fl_scope } } };
++
++      frn->err = -ENOENT;
+       if (tb) {
+               local_bh_disable();
+ 
+@@ -783,6 +785,7 @@ static void nl_fib_lookup(struct fib_result_nl *frn, 
struct fib_table *tb )
+                       frn->nh_sel = res.nh_sel;
+                       frn->type = res.type;
+                       frn->scope = res.scope;
++                      fib_res_put(&res);
+               }
+               local_bh_enable();
+       }
+@@ -797,6 +800,9 @@ static void nl_fib_input(struct sock *sk, int len)
+       struct fib_table *tb;
+       
+       skb = skb_dequeue(&sk->sk_receive_queue);
++      if (skb == NULL)
++              return;
++
+       nlh = (struct nlmsghdr *)skb->data;
+       if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
+           nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
+@@ -809,7 +815,7 @@ static void nl_fib_input(struct sock *sk, int len)
+ 
+       nl_fib_lookup(frn, tb);
+       
+-      pid = nlh->nlmsg_pid;           /*pid of sending process */
++      pid = NETLINK_CB(skb).pid;       /* pid of sending process */
+       NETLINK_CB(skb).pid = 0;         /* from kernel */
+       NETLINK_CB(skb).dst_group = 0;  /* unicast */
+       netlink_unicast(sk, skb, pid, MSG_DONTWAIT);

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2 Tue May  1 
01:48:31 2007
@@ -1,2 +1,3 @@
 + bugfix/nfnetlink_log-null-deref.patch
 + bugfix/nf_conntrack-set-nfctinfo.patch
++ bugfix/netlink-infinite-recursion.patch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r8531 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Reply via email to