From patchwork Thu Mar 17 17:21:42 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leann Ogasawara X-Patchwork-Id: 87401 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 64019B6FD8 for ; Fri, 18 Mar 2011 04:21:51 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q0GtP-0008N2-H8; Thu, 17 Mar 2011 17:21:47 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q0GtN-0008Mn-Rf for kernel-team@lists.ubuntu.com; Thu, 17 Mar 2011 17:21:45 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Q0GtN-0000WA-Px for ; Thu, 17 Mar 2011 17:21:45 +0000 Received: from c-76-105-148-120.hsd1.or.comcast.net ([76.105.148.120] helo=[192.168.1.4]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Q0GtN-0001h6-EI for kernel-team@lists.ubuntu.com; Thu, 17 Mar 2011 17:21:45 +0000 Subject: [CVE-2010-4342 Karmic] econet: Fix crash in aun_incoming(). CVE-2010-4342 From: Leann Ogasawara To: kernel-team Date: Thu, 17 Mar 2011 10:21:42 -0700 Message-ID: <1300382502.1813.7.camel@emiko> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73: Tavis Ormandy (1): Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346 are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4342 David S. Miller (1): econet: Fix crash in aun_incoming(). CVE-2010-4342 net/econet/af_econet.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) From 9ed47256baebcd6389bfb10b9b40a5e6fc8a3bcf Mon Sep 17 00:00:00 2001 From: David S. Miller Date: Wed, 8 Dec 2010 18:42:23 -0800 Subject: [PATCH] econet: Fix crash in aun_incoming(). CVE-2010-4342 CVE-2010-4342 BugLink: http://bugs.launchpad.net/bugs/736394 Unconditional use of skb->dev won't work here, try to fetch the econet device via skb_dst()->dev instead. Suggested by Eric Dumazet. Reported-by: Nelson Elhage Tested-by: Nelson Elhage Signed-off-by: David S. Miller (backport of upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64) Signed-off-by: Leann Ogasawara Acked-by: Tim Gardner Acked-by: Brad Figg Acked-by: Brad Figg --- net/econet/af_econet.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index 690da47..6bc2f6d 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c @@ -844,8 +844,12 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len) struct iphdr *ip = ip_hdr(skb); unsigned char stn = ntohl(ip->saddr) & 0xff; struct sock *sk; + struct dst_entry *dst = skb_dst(skb); + struct ec_device *edev = NULL; struct sk_buff *newskb; - struct ec_device *edev = skb->dev->ec_ptr; + + if (dst) + edev = dst->dev->ec_ptr; if (! edev) goto bad;