From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 7 Dec 2010 21:33:23 +0000 (-0800)
Subject: .27 patches
X-Git-Tag: v2.6.27.57~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4a86afca35268cbaa2e3ff9d0b4308cc32d890ae;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch b/queue-2.6.27/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
new file mode 100644
index 00000000000..f10edc13c62
--- /dev/null
+++ b/queue-2.6.27/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
@@ -0,0 +1,62 @@
+From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:19 -0800
+Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+From: Phil Blundell <philb@gnu.org>
+
+commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
+
+Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+with EINVAL if NULL was passed otherwise an oops may occur.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c |   26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -296,23 +296,14 @@ static int econet_sendmsg(struct kiocb *
+ 
+ 	mutex_lock(&econet_mutex);
+ 
+-	if (saddr == NULL) {
+-		struct econet_sock *eo = ec_sk(sk);
+-
+-		addr.station = eo->station;
+-		addr.net     = eo->net;
+-		port	     = eo->port;
+-		cb	     = eo->cb;
+-	} else {
+-		if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+-			mutex_unlock(&econet_mutex);
+-			return -EINVAL;
+-		}
+-		addr.station = saddr->addr.station;
+-		addr.net = saddr->addr.net;
+-		port = saddr->port;
+-		cb = saddr->cb;
+-	}
++        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++                mutex_unlock(&econet_mutex);
++                return -EINVAL;
++        }
++        addr.station = saddr->addr.station;
++        addr.net = saddr->addr.net;
++        port = saddr->port;
++        cb = saddr->cb;
+ 
+ 	/* Look for a device with the right network number. */
+ 	dev = net2dev_map[addr.net];
+@@ -350,7 +341,6 @@ static int econet_sendmsg(struct kiocb *
+ 
+ 		eb = (struct ec_cb *)&skb->cb;
+ 
+-		/* BUG: saddr may be NULL */
+ 		eb->cookie = saddr->cookie;
+ 		eb->sec = *saddr;
+ 		eb->sent = ec_tx_done;
diff --git a/queue-2.6.27/econet-fix-cve-2010-3850.patch b/queue-2.6.27/econet-fix-cve-2010-3850.patch
new file mode 100644
index 00000000000..08d99048986
--- /dev/null
+++ b/queue-2.6.27/econet-fix-cve-2010-3850.patch
@@ -0,0 +1,31 @@
+From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:53 -0800
+Subject: econet: fix CVE-2010-3850
+
+From: Phil Blundell <philb@gnu.org>
+
+commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
+
+Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -661,6 +661,9 @@ static int ec_dev_ioctl(struct socket *s
+ 	err = 0;
+ 	switch (cmd) {
+ 	case SIOCSIFADDR:
++		if (!capable(CAP_NET_ADMIN))
++			return -EPERM;
++
+ 		edev = dev->ec_ptr;
+ 		if (edev == NULL) {
+ 			/* Magic up a new one. */
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index ade2315d879..e7ad08bd9dd 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -40,3 +40,5 @@ memory-corruption-in-x.25-facilities-parsing.patch
 can-bcm-fix-minor-heap-overflow.patch
 v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
 x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
+econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
+econet-fix-cve-2010-3850.patch