Patchwork [CVE-2010-4342,Karmic] econet: Fix crash in aun_incoming(). CVE-2010-4342

login
register
mail settings
Submitter Leann Ogasawara
Date March 17, 2011, 5:21 p.m.
Message ID <1300382502.1813.7.camel@emiko>
Download mbox | patch
Permalink /patch/87401/
State New
Headers show

Pull-request

git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342

Comments

Leann Ogasawara - March 17, 2011, 5:21 p.m.
The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
  Tavis Ormandy (1):
        Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346

are available in the git repository at:

  git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342

David S. Miller (1):
      econet: Fix crash in aun_incoming(). CVE-2010-4342

 net/econet/af_econet.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001
From: David S. Miller <davem@davemloft.net>
Date: Wed, 8 Dec 2010 18:42:23 -0800
Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342

CVE-2010-4342

BugLink: http://bugs.launchpad.net/bugs/736394

Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage <nelhage@ksplice.com>
Tested-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)

Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
---
 net/econet/af_econet.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)
Tim Gardner - March 17, 2011, 5:24 p.m.
On 03/17/2011 11:21 AM, Leann Ogasawara wrote:
> The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
>    Tavis Ormandy (1):
>          Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342
>
> David S. Miller (1):
>        econet: Fix crash in aun_incoming(). CVE-2010-4342
>
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
>  From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001
> From: David S. Miller<davem@davemloft.net>
> Date: Wed, 8 Dec 2010 18:42:23 -0800
> Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342
>
> CVE-2010-4342
>
> BugLink: http://bugs.launchpad.net/bugs/736394
>
> Unconditional use of skb->dev won't work here,
> try to fetch the econet device via skb_dst()->dev
> instead.
>
> Suggested by Eric Dumazet.
>
> Reported-by: Nelson Elhage<nelhage@ksplice.com>
> Tested-by: Nelson Elhage<nelhage@ksplice.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
> ---
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 690da47..6bc2f6d 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>   	struct iphdr *ip = ip_hdr(skb);
>   	unsigned char stn = ntohl(ip->saddr)&  0xff;
>   	struct sock *sk;
> +	struct dst_entry *dst = skb_dst(skb);
> +	struct ec_device *edev = NULL;
>   	struct sk_buff *newskb;
> -	struct ec_device *edev = skb->dev->ec_ptr;
> +
> +	if (dst)
> +		edev = dst->dev->ec_ptr;
>
>   	if (! edev)
>   		goto bad;

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Brad Figg - March 17, 2011, 9:20 p.m.
On 03/17/2011 10:21 AM, Leann Ogasawara wrote:
> The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
>    Tavis Ormandy (1):
>          Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342
>
> David S. Miller (1):
>        econet: Fix crash in aun_incoming(). CVE-2010-4342
>
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
>  From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001
> From: David S. Miller<davem@davemloft.net>
> Date: Wed, 8 Dec 2010 18:42:23 -0800
> Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342
>
> CVE-2010-4342
>
> BugLink: http://bugs.launchpad.net/bugs/736394
>
> Unconditional use of skb->dev won't work here,
> try to fetch the econet device via skb_dst()->dev
> instead.
>
> Suggested by Eric Dumazet.
>
> Reported-by: Nelson Elhage<nelhage@ksplice.com>
> Tested-by: Nelson Elhage<nelhage@ksplice.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
> ---
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 690da47..6bc2f6d 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>   	struct iphdr *ip = ip_hdr(skb);
>   	unsigned char stn = ntohl(ip->saddr)&  0xff;
>   	struct sock *sk;
> +	struct dst_entry *dst = skb_dst(skb);
> +	struct ec_device *edev = NULL;
>   	struct sk_buff *newskb;
> -	struct ec_device *edev = skb->dev->ec_ptr;
> +
> +	if (dst)
> +		edev = dst->dev->ec_ptr;
>
>   	if (! edev)
>   		goto bad;

Acked-by: Brad Figg <brad.figg@canonical.com>
Brad Figg - March 17, 2011, 9:21 p.m.
On 03/17/2011 10:21 AM, Leann Ogasawara wrote:
> The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
>    Tavis Ormandy (1):
>          Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342
>
> David S. Miller (1):
>        econet: Fix crash in aun_incoming(). CVE-2010-4342
>
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
>  From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001
> From: David S. Miller<davem@davemloft.net>
> Date: Wed, 8 Dec 2010 18:42:23 -0800
> Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342
>
> CVE-2010-4342
>
> BugLink: http://bugs.launchpad.net/bugs/736394
>
> Unconditional use of skb->dev won't work here,
> try to fetch the econet device via skb_dst()->dev
> instead.
>
> Suggested by Eric Dumazet.
>
> Reported-by: Nelson Elhage<nelhage@ksplice.com>
> Tested-by: Nelson Elhage<nelhage@ksplice.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
> ---
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 690da47..6bc2f6d 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>   	struct iphdr *ip = ip_hdr(skb);
>   	unsigned char stn = ntohl(ip->saddr)&  0xff;
>   	struct sock *sk;
> +	struct dst_entry *dst = skb_dst(skb);
> +	struct ec_device *edev = NULL;
>   	struct sk_buff *newskb;
> -	struct ec_device *edev = skb->dev->ec_ptr;
> +
> +	if (dst)
> +		edev = dst->dev->ec_ptr;
>
>   	if (! edev)
>   		goto bad;

Acked-by: Brad Figg <brad.figg@canonical.com>
Tim Gardner - March 18, 2011, 1:14 a.m.
On 03/17/2011 11:21 AM, Leann Ogasawara wrote:
> The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
>    Tavis Ormandy (1):
>          Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342
>
> David S. Miller (1):
>        econet: Fix crash in aun_incoming(). CVE-2010-4342
>
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
>  From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001
> From: David S. Miller<davem@davemloft.net>
> Date: Wed, 8 Dec 2010 18:42:23 -0800
> Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342
>
> CVE-2010-4342
>
> BugLink: http://bugs.launchpad.net/bugs/736394
>
> Unconditional use of skb->dev won't work here,
> try to fetch the econet device via skb_dst()->dev
> instead.
>
> Suggested by Eric Dumazet.
>
> Reported-by: Nelson Elhage<nelhage@ksplice.com>
> Tested-by: Nelson Elhage<nelhage@ksplice.com>
> Signed-off-by: David S. Miller<davem@davemloft.net>
> (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
> ---
>   net/econet/af_econet.c |    6 +++++-
>   1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 690da47..6bc2f6d 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>   	struct iphdr *ip = ip_hdr(skb);
>   	unsigned char stn = ntohl(ip->saddr)&  0xff;
>   	struct sock *sk;
> +	struct dst_entry *dst = skb_dst(skb);
> +	struct ec_device *edev = NULL;
>   	struct sk_buff *newskb;
> -	struct ec_device *edev = skb->dev->ec_ptr;
> +
> +	if (dst)
> +		edev = dst->dev->ec_ptr;
>
>   	if (! edev)
>   		goto bad;

applied

Patch

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 690da47..6bc2f6d 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -844,8 +844,12 @@  static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 	struct iphdr *ip = ip_hdr(skb);
 	unsigned char stn = ntohl(ip->saddr) & 0xff;
 	struct sock *sk;
+	struct dst_entry *dst = skb_dst(skb);
+	struct ec_device *edev = NULL;
 	struct sk_buff *newskb;
-	struct ec_device *edev = skb->dev->ec_ptr;
+
+	if (dst)
+		edev = dst->dev->ec_ptr;
 
 	if (! edev)
 		goto bad;