[kernel] r19770 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue Jan 22 06:45:30 UTC 2013

Author: dannf
Date: Tue Jan 22 06:45:29 2013
New Revision: 19770

Log:
net: fix divide by zero in tcp algorithm illinois (CVE-2012-4565)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Tue Jan 22 06:41:41 2013	(r19769)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Jan 22 06:45:29 2013	(r19770)
@@ -2,6 +2,7 @@
 
   * kmod: make __request_module() killable (CVE-2012-4398)
   * inet: add RCU protection to inet->opt (CVE-2012-3552)
+  * net: fix divide by zero in tcp algorithm illinois (CVE-2012-4565)
 
  -- dann frazier <dannf at debian.org>  Mon, 22 Oct 2012 20:34:13 -0500
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch	Tue Jan 22 06:45:29 2013	(r19770)
@@ -0,0 +1,61 @@
+commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664
+Author: Jesper Dangaard Brouer <brouer at redhat.com>
+Date:   Wed Oct 31 02:45:32 2012 +0000
+
+    net: fix divide by zero in tcp algorithm illinois
+    
+    Reading TCP stats when using TCP Illinois congestion control algorithm
+    can cause a divide by zero kernel oops.
+    
+    The division by zero occur in tcp_illinois_info() at:
+     do_div(t, ca->cnt_rtt);
+    where ca->cnt_rtt can become zero (when rtt_reset is called)
+    
+    Steps to Reproduce:
+     1. Register tcp_illinois:
+         # sysctl -w net.ipv4.tcp_congestion_control=illinois
+     2. Monitor internal TCP information via command "ss -i"
+         # watch -d ss -i
+     3. Establish new TCP conn to machine
+    
+    Either it fails at the initial conn, or else it needs to wait
+    for a loss or a reset.
+    
+    This is only related to reading stats.  The function avg_delay() also
+    performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
+    calling point in update_params().  Thus, simply fix tcp_illinois_info().
+    
+    Function tcp_illinois_info() / get_info() is called without
+    socket lock.  Thus, eliminate any race condition on ca->cnt_rtt
+    by using a local stack variable.  Simply reuse info.tcpv_rttcnt,
+    as its already set to ca->cnt_rtt.
+    Function avg_delay() is not affected by this race condition, as
+    its called with the socket lock.
+    
+    Cc: Petr Matousek <pmatouse at redhat.com>
+    Signed-off-by: Jesper Dangaard Brouer <brouer at redhat.com>
+    Acked-by: Eric Dumazet <edumazet at google.com>
+    Acked-by: Stephen Hemminger <shemminger at vyatta.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
+index 813b43a..834857f 100644
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
+ 			.tcpv_rttcnt = ca->cnt_rtt,
+ 			.tcpv_minrtt = ca->base_rtt,
+ 		};
+-		u64 t = ca->sum_rtt;
+ 
+-		do_div(t, ca->cnt_rtt);
+-		info.tcpv_rtt = t;
++		if (info.tcpv_rttcnt > 0) {
++			u64 t = ca->sum_rtt;
+ 
++			do_div(t, info.tcpv_rttcnt);
++			info.tcpv_rtt = t;
++		}
+ 		nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
+ 	}
+ }

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1	Tue Jan 22 06:41:41 2013	(r19769)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1	Tue Jan 22 06:45:29 2013	(r19770)
@@ -5,3 +5,4 @@
 + bugfix/all/kmod-make-__request_module-killable.patch
 + bugfix/all/inet-add-RCU-protection-to-inet-opt.patch
 + debian/inet-Avoid-ABI-change-from-fix-for-CVE-2012-3552.patch
++ bugfix/all/net-fix-divide-by-zero-in-tcp-algorithm-illinois.patch

