From 48d073c5657fefa791918548a17233438b199b00 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Tue, 1 Dec 2009 05:39:18 +0000 Subject: [PATCH] mac80211: fix two remote exploits (CVE pending) svn path=/dists/trunk/linux-2.6/; revision=14707 --- debian/changelog | 3 + .../mac80211-fix-two-remote-exploits.patch | 60 +++++++++++++++++++ debian/patches/series/base | 1 + 3 files changed, 64 insertions(+) create mode 100644 debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch diff --git a/debian/changelog b/debian/changelog index 289633c54..356e1c03c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,6 +27,9 @@ linux-2.6 (2.6.32~rc8-1~experimental.2) UNRELEASED; urgency=low MMC/SD cards to be assumed non-removable, and filesystems on them will remain mounted over a suspend/resume cycle. (Closes: #504391) + [ dann frazier ] + * mac80211: fix two remote exploits (CVE pending) + -- Martin Michlmayr Sun, 22 Nov 2009 13:56:12 +0000 linux-2.6 (2.6.32~rc8-1~experimental.1) unstable; urgency=low diff --git a/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch b/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch new file mode 100644 index 000000000..1ae5c0305 --- /dev/null +++ b/debian/patches/bugfix/all/mac80211-fix-two-remote-exploits.patch @@ -0,0 +1,60 @@ +commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51 +Author: Johannes Berg +Date: Fri Nov 20 09:15:51 2009 +0100 + + mac80211: fix two remote exploits + + Lennert Buytenhek noticed a remotely triggerable problem + in mac80211, which is due to some code shuffling I did + that ended up changing the order in which things were + done -- this was in + + commit d75636ef9c1af224f1097941879d5a8db7cd04e5 + Author: Johannes Berg + Date: Tue Feb 10 21:25:53 2009 +0100 + + mac80211: RX aggregation: clean up stop session + + The problem is that the BUG_ON moved before the various + checks, and as such can be triggered. + + As the comment indicates, the BUG_ON can be removed since + the ampdu_action callback must already exist when the + state is OPERATIONAL. + + A similar code path leads to a WARN_ON in + ieee80211_stop_tx_ba_session, which can also be removed. + + Cc: stable@kernel.org [2.6.29+] + Cc: Lennert Buytenhek + Signed-off-by: Johannes Berg + Signed-off-by: John W. Linville + +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index bc064d7..ce8e0e7 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r + struct ieee80211_local *local = sdata->local; + struct sta_info *sta; + +- /* stop HW Rx aggregation. ampdu_action existence +- * already verified in session init so we add the BUG_ON */ +- BUG_ON(!local->ops->ampdu_action); +- + rcu_read_lock(); + + sta = sta_info_get(local, ra); +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 206fd82..63224d1 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw, + struct sta_info *sta; + int ret = 0; + +- if (WARN_ON(!local->ops->ampdu_action)) ++ if (!local->ops->ampdu_action) + return -EINVAL; + + if (tid >= STA_TID_NUM) diff --git a/debian/patches/series/base b/debian/patches/series/base index 2c44b7b4e..7dd71d1ea 100644 --- a/debian/patches/series/base +++ b/debian/patches/series/base @@ -54,3 +54,4 @@ + bugfix/all/DocBook-media-copy-images-after-building-HTML.patch + bugfix/all/DocBook-media-create-links-for-included-sources.patch + features/all/mmc-parameter-set-whether-cards-are-assumed-removable.patch ++ bugfix/all/mac80211-fix-two-remote-exploits.patch