rpms/kernel/F-11 ax25-fix-possible-oops-in-ax25_make_new.patch, NONE, 1.1 kernel.spec, 1.1764, 1.1765

Thu Oct 15 12:17:22 UTC 2009

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15584

Modified Files:
	kernel.spec 
Added Files:
	ax25-fix-possible-oops-in-ax25_make_new.patch 
Log Message:
AX.25 security fix (CVE-2009-2909)

ax25-fix-possible-oops-in-ax25_make_new.patch:
 af_ax25.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE ax25-fix-possible-oops-in-ax25_make_new.patch ---
>From fc19457a1971fee7f7e2b7f2346a5f66cfa2867c Mon Sep 17 00:00:00 2001
From: Jarek Poplawski <jarkao2 at gmail.com>
Date: Sun, 27 Sep 2009 10:57:02 +0000
Subject: ax25: Fix possible oops in ax25_make_new

From: Jarek Poplawski <jarkao2 at gmail.com>

[ Upstream commit 8c185ab6185bf5e67766edb000ce428269364c86 ]

In ax25_make_new, if kmemdup of digipeat returns an error, there would
be an oops in sk_free while calling sk_destruct, because sk_protinfo
is NULL at the moment; move sk->sk_destruct initialization after this.

BTW of reported-by: Bernard Pidoux F6BVP <f6bvp at free.fr>

Signed-off-by: Jarek Poplawski <jarkao2 at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 net/ax25/af_ax25.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -893,7 +893,6 @@ struct sock *ax25_make_new(struct sock *
 
 	sock_init_data(NULL, sk);
 
-	sk->sk_destruct = ax25_free_sock;
 	sk->sk_type     = osk->sk_type;
 	sk->sk_priority = osk->sk_priority;
 	sk->sk_protocol = osk->sk_protocol;
@@ -931,6 +930,7 @@ struct sock *ax25_make_new(struct sock *
 	}
 
 	sk->sk_protinfo = ax25;
+	sk->sk_destruct = ax25_free_sock;
 	ax25->sk    = sk;
 
 	return sk;


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1764
retrieving revision 1.1765
diff -u -p -r1.1764 -r1.1765
--- kernel.spec	15 Oct 2009 08:28:27 -0000	1.1764
+++ kernel.spec	15 Oct 2009 12:17:21 -0000	1.1765
@@ -800,6 +800,9 @@ Patch15760: x86-fix-csum_ipv6_magic-asm-
 # libata fix from 2.6.31.4 (#524756)
 Patch15800: libata-fix-incorrect-link-online-check-during-probe.patch
 
+# ax25 security fix (cve-2009-2909)
+Patch15900: ax25-fix-possible-oops-in-ax25_make_new.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1497,6 +1500,9 @@ ApplyPatch x86-fix-csum_ipv6_magic-asm-m
 # libata fix from 2.6.31.4 (#524756)
 ApplyPatch libata-fix-incorrect-link-online-check-during-probe.patch
 
+# ax25 security fix (cve-2009-2909)
+ApplyPatch ax25-fix-possible-oops-in-ax25_make_new.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2085,6 +2091,9 @@ fi
 # and build.
 
 %changelog
+* Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-86
+- AX.25 security fix (CVE-2009-2909)
+
 * Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.9-85
 - Disable CONFIG_USB_STORAGE_CYPRESS_ATACB because it causes failure
   to boot from USB disks using Cypress bridges (#524998)


