[PATCH] remote memory corruptor in ibmtr.c ip_summed changes last summer had missed that one. As the result, we have ip_summed interpreted as CHECKSUM_PARTIAL now. IOW, ->csum is interpreted as offset of checksum in the packet. net/core/* will both read and modify the value as that offset, with obvious reasons. At the very least it's a remote memory corruptor. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Created attachment 103651 [details, diff] the upstream patch that went into git13
Alright, kernels: cell-sources ck-sources gentoo-sources hardened-sources hppa-sources mips-sources openvz-sources rsbac-sources sparc-sources suspend2-sources systrace-sources usermode-sources vserver-sources xen-sources All of you, apply the patch! :P
Comment on attachment 103651 [details, diff] the upstream patch that went into git13 --- a/drivers/net/tokenring/ibmtr.c +++ b/drivers/net/tokenring/ibmtr.c @@ -1826,7 +1826,7 @@ static void tr_rx(struct net_device *dev skb->protocol = tr_type_trans(skb, dev); if (IPv4_p) { skb->csum = chksum; -skb->ip_summed = 1; +skb->ip_summed = CHECKSUM_COMPLETE; } netif_rx(skb); dev->last_rx = jiffies;
Created attachment 103653 [details, diff] The RIGHT patch (bugzie! :( )
Created attachment 103655 [details, diff] OK... this is really annoying.
The CC from hell.
ibmtr isn't supported in sparc since it sits in the ISA bus (no sparc box has ISA slots). Anyhow i've applied and also did sparc-sources-2.4.33.4 that includes others fixes/new grsec now that it's available. Security fix from 2.4.33.4: backport fix for CVE-2006-4997 to 2.4 tree I'll leave it ~sparc for a couple of days for feedback.
Fixed in: Linux 2.6.19.2 genpatches-2.6.19-3 Leaving myself on CC for now, as there will be another 2.6.18 release soon in order to get this stuff into stable quicker -- would like to get a few more pending security fixes included there before I release.
Fixed in xen-sources-2.6.16.28-r1, thanks.
This isn't a big issue for uml-sources, since you can't drive actual tokenring hardware, and there isn't even any simulated token ring available. I'll wait until the 2.6.18 bump comes out an catch that; leaving myself here so I don't forget.
Also fixed in genpatches-2.6.18-7 and gentoo-sources-2.6.18-r5 (will go stable tomorrow)
Fixed in suspend2-sources-2.8.18-r2. Thanks.
After emerging the latest stable gentoo-sources (2.6.18-r5) I received the following error while running make: CC [M] drivers/net/pcmcia/ibmtr_cs.o In file included from drivers/net/pcmcia/ibmtr_cs.c:70: drivers/net/pcmcia/../tokenring/ibmtr.c: In function ‘tr_rx’: drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error: ‘CHECKSUM_COMPLETE’ undeclared (first use in this function) drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error: (Each undeclared identifier is reported only once drivers/net/pcmcia/../tokenring/ibmtr.c:1829: error: for each function it appears in.) make[3]: *** [drivers/net/pcmcia/ibmtr_cs.o] Error 1 make[2]: *** [drivers/net/pcmcia] Error 2 make[1]: *** [drivers/net] Error 2 make: *** [drivers] Error 2 make rc=2 I performed the following search which appears to confirm that CHECKSUM_COMPLETE doesn't appear to be declared anywhere, but is used in drivers/net/tokenring/ibmtr.c: /usr/src/linux # find -iname "*.h" -o -iname "*.c" | xargs grep CHECKSUM_COMPLETE ./drivers/net/tokenring/ibmtr.c: skb->ip_summed = CHECKSUM_COMPLETE; Changing CHECKSUM_COMPLETE to CHECKSUM_HW (declared in include/linux/skbuff.h as 1, equivalent to the value prior to the patch) allowed me to complete the compile (was this a stupid thing to do?). I can attach my emerge --info or /proc/config.gz if it'll help - but I'm guessing this is just a simple case of mistaken naming?
Looks like this patch is not needed in 2.6.18, sorry about that. Will roll out a new genpatches soon.
(In reply to comment #14) > Looks like this patch is not needed in 2.6.18, sorry about that. Actually I'd have to be sorry for introducing it to the 2.6.18 branch in the first place. Harlan: hardened-sources-2.6.19 is revbumped.
Ah, sorry - I'd completely missed that this was originally a patch against 2.6.19 instead of 2.6.18! So, not a case of mistaken naming, but a case of introducing a patch (which uses CHECKSUM_COMPLETE) into an incompatible version (which doesn't define CHECKSUM_COMPLETE). I was confused as to why the patch had been signed off when it apparently didn't even compile, but realizing it's a retrofit to a prior kernel version it all makes sense now. Thanks :-)
hppa-sources-2.6.19.1 committed. Afaics, the patch is included into .1.
Bad patch removed from genpatches-2.6.18-8 (gentoo-sources-2.6.18-r6). Sorry for the screwup.
Added to suspend2-sources-2.6.18-r3.
(In reply to comment #15) > (In reply to comment #14) > > Looks like this patch is not needed in 2.6.18, sorry about that. > > Actually I'd have to be sorry for introducing it to the 2.6.18 branch in the > first place. > > Harlan: hardened-sources-2.6.19 is revbumped. Fixed with hardened-sources-2.6.19-r3 (for real this time). 2.6.18 also got a bump wrt. broken patch in -7 (thanks to me ;P).
(In reply to comment #2) > Alright, kernels: > > vserver-sources Is now using 2.6.18-8.
(In reply to comment #2) > Alright, kernels: > > openvz-sources Also revbumped.
usermode-sources too.
All done.
