[kernel] r19770 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 22 06:45:30 UTC 2013
Author: dannf
Date: Tue Jan 22 06:45:29 2013
New Revision: 19770
Log:
net: fix divide by zero in tcp algorithm illinois (CVE-2012-4565)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Tue Jan 22 06:41:41 2013 (r19769)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue Jan 22 06:45:29 2013 (r19770)
@@ -2,6 +2,7 @@
* kmod: make __request_module() killable (CVE-2012-4398)
* inet: add RCU protection to inet->opt (CVE-2012-3552)
+ * net: fix divide by zero in tcp algorithm illinois (CVE-2012-4565)
-- dann frazier <dannf at debian.org> Mon, 22 Oct 2012 20:34:13 -0500
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch Tue Jan 22 06:45:29 2013 (r19770)
@@ -0,0 +1,61 @@
+commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664
+Author: Jesper Dangaard Brouer <brouer at redhat.com>
+Date: Wed Oct 31 02:45:32 2012 +0000
+
+ net: fix divide by zero in tcp algorithm illinois
+
+ Reading TCP stats when using TCP Illinois congestion control algorithm
+ can cause a divide by zero kernel oops.
+
+ The division by zero occur in tcp_illinois_info() at:
+ do_div(t, ca->cnt_rtt);
+ where ca->cnt_rtt can become zero (when rtt_reset is called)
+
+ Steps to Reproduce:
+ 1. Register tcp_illinois:
+ # sysctl -w net.ipv4.tcp_congestion_control=illinois
+ 2. Monitor internal TCP information via command "ss -i"
+ # watch -d ss -i
+ 3. Establish new TCP conn to machine
+
+ Either it fails at the initial conn, or else it needs to wait
+ for a loss or a reset.
+
+ This is only related to reading stats. The function avg_delay() also
+ performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
+ calling point in update_params(). Thus, simply fix tcp_illinois_info().
+
+ Function tcp_illinois_info() / get_info() is called without
+ socket lock. Thus, eliminate any race condition on ca->cnt_rtt
+ by using a local stack variable. Simply reuse info.tcpv_rttcnt,
+ as its already set to ca->cnt_rtt.
+ Function avg_delay() is not affected by this race condition, as
+ its called with the socket lock.
+
+ Cc: Petr Matousek <pmatouse at redhat.com>
+ Signed-off-by: Jesper Dangaard Brouer <brouer at redhat.com>
+ Acked-by: Eric Dumazet <edumazet at google.com>
+ Acked-by: Stephen Hemminger <shemminger at vyatta.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
+index 813b43a..834857f 100644
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
+ .tcpv_rttcnt = ca->cnt_rtt,
+ .tcpv_minrtt = ca->base_rtt,
+ };
+- u64 t = ca->sum_rtt;
+
+- do_div(t, ca->cnt_rtt);
+- info.tcpv_rtt = t;
++ if (info.tcpv_rttcnt > 0) {
++ u64 t = ca->sum_rtt;
+
++ do_div(t, info.tcpv_rttcnt);
++ info.tcpv_rtt = t;
++ }
+ nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
+ }
+ }
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Tue Jan 22 06:41:41 2013 (r19769)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Tue Jan 22 06:45:29 2013 (r19770)
@@ -5,3 +5,4 @@
+ bugfix/all/kmod-make-__request_module-killable.patch
+ bugfix/all/inet-add-RCU-protection-to-inet-opt.patch
+ debian/inet-Avoid-ABI-change-from-fix-for-CVE-2012-3552.patch
++ bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
More information about the Kernel-svn-changes
mailing list