rpms/kernel/F-11 ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.1, 1.1784.2.2

Chuck Ebbert cebbert at fedoraproject.org
Tue Jan 19 19:24:17 UTC 2010


Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19358

Modified Files:
      Tag: private-fedora-11-2_6_30
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_30
	ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch 
Log Message:
Backport fix for CVE-2010-0006:
  kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() (rhbz#555217)

ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch:
 exthdrs.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- NEW FILE ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch ---
>From 2570a4f5428bcdb1077622342181755741e7fa60 Mon Sep 17 00:00:00 2001
From: David S. Miller <davem at davemloft.net>
Date: Wed, 13 Jan 2010 17:27:37 -0800
Subject: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().

From: David S. Miller <davem at davemloft.net>

commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream.

[ backported to 2.6.30 ]

This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene at redhat.com>

Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 net/ipv6/exthdrs.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb
 	return skb->dst ? ip6_dst_idev(skb->dst) : __in6_dev_get(skb->dev);
 }
 
+static inline struct net *ipv6_skb_net(struct sk_buff *skb)
+{
+	return skb->dst ? dev_net(skb->dst->dev) : dev_net(skb->dev);
+}
+
 /* Router Alert as of RFC 2711 */
 
 static int ipv6_hop_ra(struct sk_buff *skb, int optoff)
@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *s
 static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff)
 {
 	const unsigned char *nh = skb_network_header(skb);
+	struct net *net = ipv6_skb_net(skb);
 	u32 pkt_len;
-	struct net *net = dev_net(skb->dst->dev);
 
 	if (nh[optoff + 1] != 4 || (optoff & 3) != 2) {
 		LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n",


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.1
retrieving revision 1.1784.2.2
diff -u -p -r1.1784.2.1 -r1.1784.2.2
--- kernel.spec	4 Jan 2010 14:36:20 -0000	1.1784.2.1
+++ kernel.spec	19 Jan 2010 19:24:16 -0000	1.1784.2.2
@@ -848,6 +848,9 @@ Patch16472: fuse-fix-kunmap-in-fuse_ioct
 # kernel commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57
 Patch16473: linux-2.6-libertas-crash.patch
 
+# cve-2010-0006
+Patch16500: ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1593,6 +1596,9 @@ ApplyPatch fuse-fix-kunmap-in-fuse_ioctl
 # libertas 64-bit crash fix [e9024a059f2c17fb2bfab212ee9d31511d7b8e57]
 ApplyPatch linux-2.6-libertas-crash.patch
 
+# cve-2010-0006
+ApplyPatch ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2181,7 +2187,11 @@ fi
 # and build.
 
 %changelog
-* Fri Dec 25 2009 Dan Williams <dcbw at redhat.com> 2.6.30.10-106
+* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.2
+- Backport fix for CVE-2010-0006:
+  kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() (rhbz#555217)
+
+* Fri Dec 25 2009 Dan Williams <dcbw at redhat.com> 2.6.30.10-105.2.1
 - libertas: fix crash on 64-bit platforms with >= 4GB RAM
 
 * Thu Dec 24 2009 Kyle McMartin <kyle at redhat.com> 2.6.30.10-105



More information about the scm-commits mailing list