From c4101b61fff91e2dfe408fdfd0f7efa4bb17e254 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 14 Jan 2010 14:10:02 -0800 Subject: [PATCH] .31 patch --- ...kb_dst-can-be-null-in-ipv6_hop_jumbo.patch | 65 +++++++++++++++++++ queue-2.6.31/series | 1 + 2 files changed, 66 insertions(+) create mode 100644 queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch diff --git a/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch b/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch new file mode 100644 index 00000000000..66cbeaa04c0 --- /dev/null +++ b/queue-2.6.31/ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch @@ -0,0 +1,65 @@ +From 2570a4f5428bcdb1077622342181755741e7fa60 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Wed, 13 Jan 2010 17:27:37 -0800 +Subject: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). + +From: David S. Miller + +commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream. + +This fixes CERT-FI FICORA #341748 + +Discovered by Olli Jarva and Tuomo Untinen from the CROSS +project at Codenomicon Ltd. + +Just like in CVE-2007-4567, we can't rely upon skb_dst() being +non-NULL at this point. We fixed that in commit +e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on +skb->dst before it is assigned.") + +However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added +net argument to IP6_INC_STATS_BH") put a new version of the same bug +into this function. + +Complicating analysis further, this bug can only trigger when network +namespaces are enabled in the build. When namespaces are turned off, +the dev_net() does not evaluate it's argument, so the dereference +would not occur. + +So, for a long time, namespaces couldn't be turned on unless SYSFS was +disabled. Therefore, this code has largely been disabled except by +people turning it on explicitly for namespace development. + +With help from Eugene Teo + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/exthdrs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb + return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev); + } + ++static inline struct net *ipv6_skb_net(struct sk_buff *skb) ++{ ++ return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev); ++} ++ + /* Router Alert as of RFC 2711 */ + + static int ipv6_hop_ra(struct sk_buff *skb, int optoff) +@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *s + static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff) + { + const unsigned char *nh = skb_network_header(skb); ++ struct net *net = ipv6_skb_net(skb); + u32 pkt_len; +- struct net *net = dev_net(skb_dst(skb)->dev); + + if (nh[optoff + 1] != 4 || (optoff & 3) != 2) { + LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n", diff --git a/queue-2.6.31/series b/queue-2.6.31/series index ff245e9684f..9fbe1dcc52d 100644 --- a/queue-2.6.31/series +++ b/queue-2.6.31/series @@ -6,3 +6,4 @@ netfilter-nf_ct_ftp-fix-out-of-bounds-read-in-update_nl_seq.patch quota-fix-dquot_transfer-for-filesystems-different-from-ext4.patch fix-braindamage-in-audit_tree.c-untag_chunk.patch fix-more-leaks-in-audit_tree.c-tag_chunk.patch +ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch -- 2.47.3