Bugzilla Bug 157186

[PATCH] remote memory corruptor in ibmtr.c

 ip_summed changes last summer had missed that one.  As the result,
 we have ip_summed interpreted as CHECKSUM_PARTIAL now.  IOW,
 ->csum is interpreted as offset of checksum in the packet.  net/core/*
 will both read and modify the value as that offset, with obvious
 reasons.  At the very least it's a remote memory corruptor.

 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
 Signed-off-by: Linus Torvalds <torvalds@osdl.org>

Created an attachment (id=103651) [edit]
the upstream patch that went into git13

Alright, kernels:

cell-sources
ck-sources
gentoo-sources
hardened-sources
hppa-sources
mips-sources
openvz-sources
rsbac-sources
sparc-sources
suspend2-sources
systrace-sources
usermode-sources
vserver-sources
xen-sources

All of you, apply the patch! :P

(From update of attachment 103651 [edit])
--- a/drivers/net/tokenring/ibmtr.c
+++ b/drivers/net/tokenring/ibmtr.c
@@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev
                                        skb->protocol = tr_type_trans(skb,
dev);
                                        if (IPv4_p) {
                                          skb->csum = chksum;
                                          -skb->ip_summed = 1;
                                          +skb->ip_summed = CHECKSUM_COMPLETE;
                                        }
                                        netif_rx(skb);
                                        dev->last_rx = jiffies;

Created an attachment (id=103653) [edit]
The RIGHT patch (bugzie! :( )

Created an attachment (id=103655) [edit]
OK... this is really annoying.

The CC from hell.

ibmtr isn't supported in sparc since it sits in the ISA bus (no sparc box has
ISA slots).
Anyhow i've applied and also did sparc-sources-2.4.33.4 that includes others
fixes/new grsec now that it's available.

Security fix from 2.4.33.4: backport fix for CVE-2006-4997 to 2.4 tree

I'll leave it ~sparc for a couple of days for feedback.

Fixed in:
 Linux 2.6.19.2
 genpatches-2.6.19-3

Leaving myself on CC for now, as there will be another 2.6.18 release soon in
order to get this stuff into stable quicker -- would like to get a few more
pending security fixes included there before I release.

Fixed in xen-sources-2.6.16.28-r1, thanks.

This isn't a big issue for uml-sources, since you can't drive actual tokenring
hardware, and there isn't even any simulated token ring available. I'll wait
until the 2.6.18 bump comes out an catch that; leaving myself here so I don't
forget.

Also fixed in genpatches-2.6.18-7 and gentoo-sources-2.6.18-r5 (will go stable
tomorrow)

Fixed in suspend2-sources-2.8.18-r2.
Thanks.

After emerging the latest stable gentoo-sources (2.6.18-r5) I received the
following error while running make:

  CC [M]  drivers/net/pcmcia/ibmtr_cs.o
In file included from drivers/net/pcmcia/ibmtr_cs.c:70:
drivers/net/pcmcia/../tokenring/ibmtr.c: In function ‘tr_rx’:
drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error:
‘CHECKSUM_COMPLETE’ undeclared (first use in this function)
drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error: (Each undeclared
identifier is reported only once
drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error: for each function it
appears in.)
make[3]: *** [drivers/net/pcmcia/ibmtr_cs.o] Error 1
make[2]: *** [drivers/net/pcmcia] Error 2
make[1]: *** [drivers/net] Error 2
make: *** [drivers] Error 2
make rc=2

I performed the following search which appears to confirm that
CHECKSUM_COMPLETE doesn't appear to be declared anywhere, but is used in
drivers/net/tokenring/ibmtr.c:

/usr/src/linux # find -iname "*.h" -o -iname "*.c" | xargs grep
CHECKSUM_COMPLETE
./drivers/net/tokenring/ibmtr.c:                skb->ip_summed =
CHECKSUM_COMPLETE;

Changing CHECKSUM_COMPLETE to CHECKSUM_HW (declared in include/linux/skbuff.h
as 1, equivalent to the value prior to the patch) allowed me to complete the
compile (was this a stupid thing to do?).

I can attach my emerge --info or /proc/config.gz if it'll help - but I'm
guessing this is just a simple case of mistaken naming?

Looks like this patch is not needed in 2.6.18, sorry about that. Will roll out
a new genpatches soon.

(In reply to comment #14)
> Looks like this patch is not needed in 2.6.18, sorry about that.

Actually I'd have to be sorry for introducing it to the 2.6.18 branch in the
first place.

Harlan: hardened-sources-2.6.19 is revbumped.

Ah, sorry - I'd completely missed that this was originally a patch against
2.6.19 instead of 2.6.18! So, not a case of mistaken naming, but a case of
introducing a patch (which uses CHECKSUM_COMPLETE) into an incompatible version
(which doesn't define CHECKSUM_COMPLETE).

I was confused as to why the patch had been signed off when it apparently
didn't even compile, but realizing it's a retrofit to a prior kernel version it
all makes sense now. Thanks :-)

hppa-sources-2.6.19.1 committed.
Afaics, the patch is included into .1.

Bad patch removed from genpatches-2.6.18-8 (gentoo-sources-2.6.18-r6). Sorry
for the screwup.

Added to suspend2-sources-2.6.18-r3.

(In reply to comment #15)
> (In reply to comment #14)
> > Looks like this patch is not needed in 2.6.18, sorry about that.
> 
> Actually I'd have to be sorry for introducing it to the 2.6.18 branch in the
> first place.
> 
> Harlan: hardened-sources-2.6.19 is revbumped.

Fixed with hardened-sources-2.6.19-r3 (for real this time). 2.6.18 also got a
bump wrt. broken patch in -7 (thanks to me ;P).

(In reply to comment #2)
> Alright, kernels:
>
> vserver-sources

Is now using 2.6.18-8.

(In reply to comment #2)
> Alright, kernels:
> 

> openvz-sources

Also revbumped.

usermode-sources too.

All done.