[kernel/f13/master] CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
Chuck Ebbert
cebbert at fedoraproject.org
Fri Oct 1 03:47:33 UTC 2010
commit 2968963f0b5c8748612b2083c77b0bb728529118
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Thu Sep 30 23:46:34 2010 -0400
CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
kernel.spec | 13 +++++++-
...eset-the-packet-during-sctp_packet_config.patch | 34 ++++++++++++++++++++
2 files changed, 46 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index eba8cbc..aee6ff1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -611,9 +611,11 @@ Patch23: linux-2.6-utrace-ptrace.patch
Patch50: linux-2.6-x86-cfi_sections.patch
+# CVE-2010-3301, CVE-2010-3081
Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+# CVE-2010-3067
Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
Patch144: linux-2.6-vio-modalias.patch
@@ -817,6 +819,9 @@ Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bi
Patch12580: xen-handle-events-as-edge-triggered.patch
Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch
+# CVE-2010-3432
+Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1246,11 +1251,11 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
# x86(-64)
ApplyPatch linux-2.6-x86-cfi_sections.patch
+# CVE-2010-3301, CVE-2010-3081
ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
-
#
# Intel IOMMU
#
@@ -1545,6 +1550,9 @@ ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit
ApplyPatch xen-handle-events-as-edge-triggered.patch
ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch
+# CVE-2010-3432
+ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2166,6 +2174,9 @@ fi
%changelog
+* Thu Sep 30 2010 Chuck Ebbert <cebbert at redhat.com>
+- CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
* Thu Sep 30 2010 Ben Skeggs <bskeggs at redhat.com> 2.6.34.7-59
- nouveau: fix theoretical race condition that could be responsible for
certain random hangs that have been reported.
diff --git a/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch b/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
new file mode 100644
index 0000000..c88c12a
--- /dev/null
+++ b/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
@@ -0,0 +1,34 @@
+From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Wed, 15 Sep 2010 10:00:26 -0400
+Subject: sctp: Do not reset the packet during sctp_packet_config().
+
+From: Vlad Yasevich <vladislav.yasevich at hp.com>
+
+commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
+
+sctp_packet_config() is called when getting the packet ready
+for appending of chunks. The function should not touch the
+current state, since it's possible to ping-pong between two
+transports when sending, and that can result packet corruption
+followed by skb overlfow crash.
+
+Reported-by: Thomas Dreibholz <dreibh at iem.uni-due.de>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/sctp/output.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
+ SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
+ packet, vtag);
+
+- sctp_packet_reset(packet);
+ packet->vtag = vtag;
+
+ if (ecn_capable && sctp_packet_empty(packet)) {
More information about the scm-commits
mailing list