mac80211: fix two remote exploits (CVE pending)
svn path=/dists/trunk/linux-2.6/; revision=14707
This commit is contained in:
parent
3e4966ed53
commit
48d073c565
|
@ -27,6 +27,9 @@ linux-2.6 (2.6.32~rc8-1~experimental.2) UNRELEASED; urgency=low
|
||||||
MMC/SD cards to be assumed non-removable, and filesystems on them
|
MMC/SD cards to be assumed non-removable, and filesystems on them
|
||||||
will remain mounted over a suspend/resume cycle. (Closes: #504391)
|
will remain mounted over a suspend/resume cycle. (Closes: #504391)
|
||||||
|
|
||||||
|
[ dann frazier ]
|
||||||
|
* mac80211: fix two remote exploits (CVE pending)
|
||||||
|
|
||||||
-- Martin Michlmayr <tbm@cyrius.com> Sun, 22 Nov 2009 13:56:12 +0000
|
-- Martin Michlmayr <tbm@cyrius.com> Sun, 22 Nov 2009 13:56:12 +0000
|
||||||
|
|
||||||
linux-2.6 (2.6.32~rc8-1~experimental.1) unstable; urgency=low
|
linux-2.6 (2.6.32~rc8-1~experimental.1) unstable; urgency=low
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51
|
||||||
|
Author: Johannes Berg <johannes@sipsolutions.net>
|
||||||
|
Date: Fri Nov 20 09:15:51 2009 +0100
|
||||||
|
|
||||||
|
mac80211: fix two remote exploits
|
||||||
|
|
||||||
|
Lennert Buytenhek noticed a remotely triggerable problem
|
||||||
|
in mac80211, which is due to some code shuffling I did
|
||||||
|
that ended up changing the order in which things were
|
||||||
|
done -- this was in
|
||||||
|
|
||||||
|
commit d75636ef9c1af224f1097941879d5a8db7cd04e5
|
||||||
|
Author: Johannes Berg <johannes@sipsolutions.net>
|
||||||
|
Date: Tue Feb 10 21:25:53 2009 +0100
|
||||||
|
|
||||||
|
mac80211: RX aggregation: clean up stop session
|
||||||
|
|
||||||
|
The problem is that the BUG_ON moved before the various
|
||||||
|
checks, and as such can be triggered.
|
||||||
|
|
||||||
|
As the comment indicates, the BUG_ON can be removed since
|
||||||
|
the ampdu_action callback must already exist when the
|
||||||
|
state is OPERATIONAL.
|
||||||
|
|
||||||
|
A similar code path leads to a WARN_ON in
|
||||||
|
ieee80211_stop_tx_ba_session, which can also be removed.
|
||||||
|
|
||||||
|
Cc: stable@kernel.org [2.6.29+]
|
||||||
|
Cc: Lennert Buytenhek <buytenh@marvell.com>
|
||||||
|
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
|
||||||
|
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||||
|
|
||||||
|
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
|
||||||
|
index bc064d7..ce8e0e7 100644
|
||||||
|
--- a/net/mac80211/agg-rx.c
|
||||||
|
+++ b/net/mac80211/agg-rx.c
|
||||||
|
@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r
|
||||||
|
struct ieee80211_local *local = sdata->local;
|
||||||
|
struct sta_info *sta;
|
||||||
|
|
||||||
|
- /* stop HW Rx aggregation. ampdu_action existence
|
||||||
|
- * already verified in session init so we add the BUG_ON */
|
||||||
|
- BUG_ON(!local->ops->ampdu_action);
|
||||||
|
-
|
||||||
|
rcu_read_lock();
|
||||||
|
|
||||||
|
sta = sta_info_get(local, ra);
|
||||||
|
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
|
||||||
|
index 206fd82..63224d1 100644
|
||||||
|
--- a/net/mac80211/agg-tx.c
|
||||||
|
+++ b/net/mac80211/agg-tx.c
|
||||||
|
@@ -545,7 +545,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
|
||||||
|
struct sta_info *sta;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
- if (WARN_ON(!local->ops->ampdu_action))
|
||||||
|
+ if (!local->ops->ampdu_action)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (tid >= STA_TID_NUM)
|
|
@ -54,3 +54,4 @@
|
||||||
+ bugfix/all/DocBook-media-copy-images-after-building-HTML.patch
|
+ bugfix/all/DocBook-media-copy-images-after-building-HTML.patch
|
||||||
+ bugfix/all/DocBook-media-create-links-for-included-sources.patch
|
+ bugfix/all/DocBook-media-create-links-for-included-sources.patch
|
||||||
+ features/all/mmc-parameter-set-whether-cards-are-assumed-removable.patch
|
+ features/all/mmc-parameter-set-whether-cards-are-assumed-removable.patch
|
||||||
|
+ bugfix/all/mac80211-fix-two-remote-exploits.patch
|
||||||
|
|
Loading…
Reference in New Issue