From 01c05a5ef5ba59b832e8ffb50bd8ef3f83b03017 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 23 Aug 2013 15:47:02 -0400 Subject: [PATCH] Linux v3.11-rc6-139-g89b53e5 --- ...sses-check-from-ipv6_create_tempaddr.patch | 60 ------------------- ...ng-ieee80211_chswitch_done-with-NULL.patch | 58 ------------------ kernel.spec | 17 ++---- sources | 2 +- 4 files changed, 5 insertions(+), 132 deletions(-) delete mode 100644 ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch delete mode 100644 iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch deleted file mode 100644 index 3c0153be9..000000000 --- a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 16 Aug 2013 11:02:27 +0000 -Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr - -Because of the max_addresses check attackers were able to disable privacy -extensions on an interface by creating enough autoconfigured addresses: - - - -But the check is not actually needed: max_addresses protects the -kernel to install too many ipv6 addresses on an interface and guards -addrconf_prefix_rcv to install further addresses as soon as this limit -is reached. We only generate temporary addresses in direct response of -a new address showing up. As soon as we filled up the maximum number of -addresses of an interface, we stop installing more addresses and thus -also stop generating more temp addresses. - -Even if the attacker tries to generate a lot of temporary addresses -by announcing a prefix and removing it again (lifetime == 0) we won't -install more temp addresses, because the temporary addresses do count -to the maximum number of addresses, thus we would stop installing new -autoconfigured addresses when the limit is reached. - -This patch fixes CVE-2013-0343 (but other layer-2 attacks are still -possible). - -Thanks to Ding Tianhong to bring this topic up again. - -Cc: Ding Tianhong -Cc: George Kargiotakis -Cc: P J P -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Acked-by: Ding Tianhong -Signed-off-by: David S. Miller ---- -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index da4241c..498ea99 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -1126,12 +1126,10 @@ retry: - if (ifp->flags & IFA_F_OPTIMISTIC) - addr_flags |= IFA_F_OPTIMISTIC; - -- ift = !max_addresses || -- ipv6_count_addresses(idev) < max_addresses ? -- ipv6_add_addr(idev, &addr, NULL, tmp_plen, -- ipv6_addr_scope(&addr), addr_flags, -- tmp_valid_lft, tmp_prefered_lft) : NULL; -- if (IS_ERR_OR_NULL(ift)) { -+ ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen, -+ ipv6_addr_scope(&addr), addr_flags, -+ tmp_valid_lft, tmp_prefered_lft); -+ if (IS_ERR(ift)) { - in6_ifa_put(ifp); - in6_dev_put(idev); - pr_info("%s: retry temporary address regeneration\n", __func__); --- -cgit v0.9.2 diff --git a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch deleted file mode 100644 index 84d6aa06d..000000000 --- a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch +++ /dev/null @@ -1,58 +0,0 @@ -If channel switch is pending and we remove interface we can -crash like showed below due to passing NULL vif to mac80211: - -BUG: unable to handle kernel paging request at fffffffffffff8cc -IP: [] strnlen+0xd/0x40 -Call Trace: - [] string.isra.3+0x3e/0xd0 - [] vsnprintf+0x219/0x640 - [] vscnprintf+0x11/0x30 - [] vprintk_emit+0x115/0x4f0 - [] printk+0x61/0x63 - [] ieee80211_chswitch_done+0xaf/0xd0 [mac80211] - [] iwl_chswitch_done+0x34/0x40 [iwldvm] - [] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm] - [] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm] - [] iwl_set_mode+0x36/0x40 [iwldvm] - [] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm] - [] ieee80211_do_stop+0x29d/0x7f0 [mac80211] - -This is because we nulify ctx->vif in iwlagn_mac_remove_interface() -before calling some other functions that teardown interface. To fix -just check ctx->vif on iwl_chswitch_done(). We should not call -ieee80211_chswitch_done() as channel switch works were already canceled -by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop(). - -Resolve: -https://bugzilla.redhat.com/show_bug.cgi?id=979581 - -Cc: stable@vger.kernel.org -Reported-by: Lukasz Jagiello -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c -index 323e4a3..9a817df 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c -@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success) - if (test_bit(STATUS_EXIT_PENDING, &priv->status)) - return; - -- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) -+ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) -+ return; -+ -+ if (ctx->vif) - ieee80211_chswitch_done(ctx->vif, is_success); - } - --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 2be3f69ba..7e0ed1c7f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 6 # The git snapshot level -%define gitrev 3 +%define gitrev 4 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -740,15 +740,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch -#rhbz 979581 -Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch - #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #rhbz 989269 Patch25079: mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch @@ -1445,15 +1439,9 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -#rhbz 979581 -ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch - #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #rhbz 989269 ApplyPatch mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch @@ -2251,6 +2239,9 @@ fi # ||----w | # || || %changelog +* Fri Aug 23 2013 Josh Boyer - 3.11.0-0.rc6.git4.1 +- Linux v3.11-rc6-139-g89b53e5 + * Fri Aug 23 2013 Josh Boyer - 3.11.0-0.rc6.git3.1 - Linux v3.11-rc6-76-g6a7492a diff --git a/sources b/sources index ba3bfe826..63172be34 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz 7b8db47226ac7df01065212048233157 patch-3.11-rc6.xz -c3a0c08f093dd96e708db255f753242e patch-3.11-rc6-git3.xz +b58364711465b8307fd412c9b3dd054c patch-3.11-rc6-git4.xz