1 |
Author: mpagano |
2 |
Date: 2009-07-18 21:41:52 +0000 (Sat, 18 Jul 2009) |
3 |
New Revision: 1587 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch |
7 |
Modified: |
8 |
genpatches-2.6/trunk/2.6.30/0000_README |
9 |
Log: |
10 |
Adding patch to fix NULL pointer dereference in tun_chr_pool CVE-2009-1897 |
11 |
|
12 |
Modified: genpatches-2.6/trunk/2.6.30/0000_README |
13 |
=================================================================== |
14 |
--- genpatches-2.6/trunk/2.6.30/0000_README 2009-07-16 00:55:26 UTC (rev 1586) |
15 |
+++ genpatches-2.6/trunk/2.6.30/0000_README 2009-07-18 21:41:52 UTC (rev 1587) |
16 |
@@ -47,6 +47,10 @@ |
17 |
From: https://bugs.gentoo.org/show_bug.cgi?id=277714 |
18 |
Desc: fix PER_CLEAR_ON_SETID |
19 |
|
20 |
+Patch: 1505_fix-null-ptr-def-in-tun-chr-pool.patch |
21 |
+From: https://bugs.gentoo.org/show_bug.cgi?id=278122 |
22 |
+Desc: Fix NULL pointer dereference in tun_chr_pool |
23 |
+ |
24 |
Patch: 2500_ide-cd-handle-fragmented-patckets.patch |
25 |
From: http://bugs.gentoo.org/show_bug.cgi?id=274182 |
26 |
Desc: ide-cd: handle fragmented packet commands gracefully |
27 |
|
28 |
Added: genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch |
29 |
=================================================================== |
30 |
--- genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch (rev 0) |
31 |
+++ genpatches-2.6/trunk/2.6.30/1505_fix-null-ptr-def-in-tun-chr-pool.patch 2009-07-18 21:41:52 UTC (rev 1587) |
32 |
@@ -0,0 +1,45 @@ |
33 |
+From: Mariusz Kozlowski <m.kozlowski@×××××××.pl> |
34 |
+Date: Sun, 5 Jul 2009 19:48:35 +0000 (+0000) |
35 |
+Subject: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. |
36 |
+X-Git-Tag: v2.6.31-rc3~40^2~15 |
37 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 |
38 |
+ |
39 |
+tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. |
40 |
+ |
41 |
+Fix NULL pointer dereference in tun_chr_pool() introduced by commit |
42 |
+33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued |
43 |
+packets per device") and triggered by this code: |
44 |
+ |
45 |
+ int fd; |
46 |
+ struct pollfd pfd; |
47 |
+ fd = open("/dev/net/tun", O_RDWR); |
48 |
+ pfd.fd = fd; |
49 |
+ pfd.events = POLLIN | POLLOUT; |
50 |
+ poll(&pfd, 1, 0); |
51 |
+ |
52 |
+Reported-by: Eugene Kapun <abacabadabacaba@×××××.com> |
53 |
+Signed-off-by: Mariusz Kozlowski <m.kozlowski@×××××××.pl> |
54 |
+Signed-off-by: David S. Miller <davem@×××××××××.net> |
55 |
+--- |
56 |
+ |
57 |
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c |
58 |
+index b393536..027f7ab 100644 |
59 |
+--- a/drivers/net/tun.c |
60 |
++++ b/drivers/net/tun.c |
61 |
+@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) |
62 |
+ { |
63 |
+ struct tun_file *tfile = file->private_data; |
64 |
+ struct tun_struct *tun = __tun_get(tfile); |
65 |
+- struct sock *sk = tun->sk; |
66 |
++ struct sock *sk; |
67 |
+ unsigned int mask = 0; |
68 |
+ |
69 |
+ if (!tun) |
70 |
+ return POLLERR; |
71 |
+ |
72 |
++ sk = tun->sk; |
73 |
++ |
74 |
+ DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); |
75 |
+ |
76 |
+ poll_wait(file, &tun->socket.wait, wait); |
77 |
+ |