CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch

2010-09-30 23:46:34 -04:00 · 2010-09-30 23:46:34 -04:00 · 2968963f0b
parent 5c3c16ba28
commit 2968963f0b
2 changed files with 46 additions and 1 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -611,9 +611,11 @@ Patch23: linux-2.6-utrace-ptrace.patch

 Patch50: linux-2.6-x86-cfi_sections.patch

+# CVE-2010-3301, CVE-2010-3081
 Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
 Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
 Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+# CVE-2010-3067
 Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch

 Patch144: linux-2.6-vio-modalias.patch
@ -817,6 +819,9 @@ Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bi
 Patch12580: xen-handle-events-as-edge-triggered.patch
 Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch

+# CVE-2010-3432
+Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
 %endif

 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1246,11 +1251,11 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
 # x86(-64)
 ApplyPatch linux-2.6-x86-cfi_sections.patch

+# CVE-2010-3301, CVE-2010-3081
 ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
 ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
 ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch

-
 #
 # Intel IOMMU
 #
@ -1545,6 +1550,9 @@ ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit
 ApplyPatch xen-handle-events-as-edge-triggered.patch
 ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch

+# CVE-2010-3432
+ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2166,6 +2174,9 @@ fi


 %changelog
+* Thu Sep 30 2010 Chuck Ebbert <cebbert@redhat.com>
+- CVE-2010-3432: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+
 * Thu Sep 30 2010 Ben Skeggs <bskeggs@redhat.com> 2.6.34.7-59
 - nouveau: fix theoretical race condition that could be responsible for
  certain random hangs that have been reported.
--- a/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+++ b/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
@ -0,0 +1,34 @@
+From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Wed, 15 Sep 2010 10:00:26 -0400
+Subject: sctp: Do not reset the packet during sctp_packet_config().
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
+
+sctp_packet_config() is called when getting the packet ready
+for appending of chunks.  The function should not touch the
+current state, since it's possible to ping-pong between two
+transports when sending, and that can result packet corruption
+followed by skb overlfow crash.
+
+Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/output.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/sctp/output.c
+++ b/net/sctp/output.c
+@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
+ 	SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
+ 			  packet, vtag);
+ 
+-	sctp_packet_reset(packet);
+ 	packet->vtag = vtag;
+ 
+ 	if (ecn_capable && sctp_packet_empty(packet)) {