[kernel] r21617 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Tue Jul 22 23:15:53 UTC 2014
Author: benh
Date: Tue Jul 22 23:15:53 2014
New Revision: 21617
Log:
sctp: Fix sk_ack_backlog wrap-around problem (CVE-2014-4667)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-sk_ack_backlog-wrap-around-problem.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Tue Jul 22 23:12:04 2014 (r21616)
+++ dists/wheezy-security/linux/debian/changelog Tue Jul 22 23:15:53 2014 (r21617)
@@ -1,6 +1,7 @@
linux (3.2.60-1+deb7u3) UNRELEASED; urgency=medium
* net/l2tp: don't fall back on UDP [get|set]sockopt (CVE-2014-4943)
+ * sctp: Fix sk_ack_backlog wrap-around problem (CVE-2014-4667)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 23 Jul 2014 00:10:57 +0100
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-sk_ack_backlog-wrap-around-problem.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-sk_ack_backlog-wrap-around-problem.patch Tue Jul 22 23:15:53 2014 (r21617)
@@ -0,0 +1,40 @@
+From: Xufeng Zhang <xufeng.zhang at windriver.com>
+Date: Thu, 12 Jun 2014 10:53:36 +0800
+Subject: sctp: Fix sk_ack_backlog wrap-around problem
+Origin: https://git.kernel.org/linus/d3217b15a19a4779c39b212358a5c71d725822ee
+
+Consider the scenario:
+For a TCP-style socket, while processing the COOKIE_ECHO chunk in
+sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
+a new association would be created in sctp_unpack_cookie(), but afterwards,
+some processing maybe failed, and sctp_association_free() will be called to
+free the previously allocated association, in sctp_association_free(),
+sk_ack_backlog value is decremented for this socket, since the initial
+value for sk_ack_backlog is 0, after the decrement, it will be 65535,
+a wrap-around problem happens, and if we want to establish new associations
+afterward in the same socket, ABORT would be triggered since sctp deem the
+accept queue as full.
+Fix this issue by only decrementing sk_ack_backlog for associations in
+the endpoint's list.
+
+Fix-suggested-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: Xufeng Zhang <xufeng.zhang at windriver.com>
+Acked-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Vlad Yasevich <vyasevich at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/sctp/associola.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -389,7 +389,7 @@ void sctp_association_free(struct sctp_a
+ /* Only real associations count against the endpoint, so
+ * don't bother for if this is a temporary association.
+ */
+- if (!asoc->temp) {
++ if (!list_empty(&asoc->asocs)) {
+ list_del(&asoc->asocs);
+
+ /* Decrement the backlog value for a TCP-style listening
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Tue Jul 22 23:12:04 2014 (r21616)
+++ dists/wheezy-security/linux/debian/patches/series Tue Jul 22 23:15:53 2014 (r21617)
@@ -1141,3 +1141,4 @@
bugfix/all/revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch
bugfix/all/revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch
bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
+bugfix/all/sctp-fix-sk_ack_backlog-wrap-around-problem.patch
More information about the Kernel-svn-changes
mailing list