Linux v3.11-rc6-139-g89b53e5

2013-08-23 15:47:02 -04:00 · 2013-08-23 15:47:02 -04:00 · 01c05a5ef5
commit 01c05a5ef5
parent 1d43b94ee2
4 changed files with 5 additions and 132 deletions
--- a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
+++ b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
@ -1,60 +0,0 @@
 From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001
 From: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Date: Fri, 16 Aug 2013 11:02:27 +0000
 Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
 Because of the max_addresses check attackers were able to disable privacy
 extensions on an interface by creating enough autoconfigured addresses:
 <http://seclists.org/oss-sec/2012/q4/292>
 But the check is not actually needed: max_addresses protects the
 kernel to install too many ipv6 addresses on an interface and guards
 addrconf_prefix_rcv to install further addresses as soon as this limit
 is reached. We only generate temporary addresses in direct response of
 a new address showing up. As soon as we filled up the maximum number of
 addresses of an interface, we stop installing more addresses and thus
 also stop generating more temp addresses.
 Even if the attacker tries to generate a lot of temporary addresses
 by announcing a prefix and removing it again (lifetime == 0) we won't
 install more temp addresses, because the temporary addresses do count
 to the maximum number of addresses, thus we would stop installing new
 autoconfigured addresses when the limit is reached.
 This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
 possible).
 Thanks to Ding Tianhong to bring this topic up again.
 Cc: Ding Tianhong <dingtianhong@huawei.com>
 Cc: George Kargiotakis <kargig@void.gr>
 Cc: P J P <ppandit@redhat.com>
 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Acked-by: Ding Tianhong <dingtianhong@huawei.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 ---
 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
 index da4241c..498ea99 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
@@ -1126,12 +1126,10 @@ retry:
 	if (ifp->flags & IFA_F_OPTIMISTIC)
 		addr_flags |= IFA_F_OPTIMISTIC;
 -	ift = !max_addresses ||
 -	      ipv6_count_addresses(idev) < max_addresses ?
 -		ipv6_add_addr(idev, &addr, NULL, tmp_plen,
 -			      ipv6_addr_scope(&addr), addr_flags,
 -			      tmp_valid_lft, tmp_prefered_lft) : NULL;
 -	if (IS_ERR_OR_NULL(ift)) {
 +	ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
 +			    ipv6_addr_scope(&addr), addr_flags,
 +			    tmp_valid_lft, tmp_prefered_lft);
 +	if (IS_ERR(ift)) {
 		in6_ifa_put(ifp);
 		in6_dev_put(idev);
 		pr_info("%s: retry temporary address regeneration\n", __func__);
 --
 cgit v0.9.2
--- a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
+++ b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
@ -1,58 +0,0 @@
 If channel switch is pending and we remove interface we can
 crash like showed below due to passing NULL vif to mac80211:
 BUG: unable to handle kernel paging request at fffffffffffff8cc
 IP: [<ffffffff8130924d>] strnlen+0xd/0x40
 Call Trace:
 [<ffffffff8130ad2e>] string.isra.3+0x3e/0xd0
 [<ffffffff8130bf99>] vsnprintf+0x219/0x640
 [<ffffffff8130c481>] vscnprintf+0x11/0x30
 [<ffffffff81061585>] vprintk_emit+0x115/0x4f0
 [<ffffffff81657bd5>] printk+0x61/0x63
 [<ffffffffa048987f>] ieee80211_chswitch_done+0xaf/0xd0 [mac80211]
 [<ffffffffa04e7b34>] iwl_chswitch_done+0x34/0x40 [iwldvm]
 [<ffffffffa04f83c3>] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm]
 [<ffffffffa04ebc50>] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm]
 [<ffffffffa04e5e76>] iwl_set_mode+0x36/0x40 [iwldvm]
 [<ffffffffa04e5f0d>] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm]
 [<ffffffffa0459b3d>] ieee80211_do_stop+0x29d/0x7f0 [mac80211]
 This is because we nulify ctx->vif in iwlagn_mac_remove_interface()
 before calling some other functions that teardown interface. To fix
 just check ctx->vif on iwl_chswitch_done(). We should not call
 ieee80211_chswitch_done() as channel switch works were already canceled
 by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop().
 Resolve:
 https://bugzilla.redhat.com/show_bug.cgi?id=979581
 Cc: stable@vger.kernel.org
 Reported-by: Lukasz Jagiello <jagiello.lukasz@gmail.com>
 Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
 ---
 drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
 index 323e4a3..9a817df 100644
 --- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
 +++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success)
 	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
 		return;
 -	if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
 +	if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
 +		return;
 +
 +	if (ctx->vif)
 		ieee80211_chswitch_done(ctx->vif, is_success);
 }
 -- 
 1.7.11.7
 --
 To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
 the body of a message to majordomo@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
--- a/kernel.spec
+++ b/kernel.spec
@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 6
 # The git snapshot level
-%define gitrev 3
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@ -740,15 +740,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
 Patch25056: iwl3945-better-skb-management-in-rx-path.patch
 Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 #rhbz 979581
 Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
 #rhbz 963715
 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 #CVE-2013-0343 rhbz 914664 999380
 Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
 #rhbz 989269
 Patch25079: mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
@ -1445,15 +1439,9 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
 ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 #rhbz 979581
 ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
 #rhbz 963715
 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 #CVE-2013-0343 rhbz 914664 999380
 ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
 #rhbz 989269
 ApplyPatch mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
@ -2251,6 +2239,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
 * Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git4.1
 - Linux v3.11-rc6-139-g89b53e5
 * Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git3.1
 - Linux v3.11-rc6-76-g6a7492a
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 4f25cd5bec5f8d5a7d935b3f2ccb8481  linux-3.10.tar.xz
 7b8db47226ac7df01065212048233157  patch-3.11-rc6.xz
-c3a0c08f093dd96e708db255f753242e  patch-3.11-rc6-git3.xz
+b58364711465b8307fd412c9b3dd054c  patch-3.11-rc6-git4.xz