Re: CVE request: kernel: mac80211: fix two remote exploits

[Eugene Teo <eugene () redhat com>]

On 12/02/2009 09:40 PM, Josh Bressers wrote:
> ----- "Eugene Teo"<eugeneteo () kernel sg>  wrote:
>
> > http://git.kernel.org/linus/4253119acf412fd686ef4bd8749b5a4d70ea3a51
> >
> > "Lennert Buytenhek noticed a remotely triggerable problem in mac80211,
> >
> > which is due to some code shuffling I did that ended up changing the
> > order in which things were done -- this was in
> >
> >     commit d75636ef9c1af224f1097941879d5a8db7cd04e5
> >     Author: Johannes Berg<johannes () sipsolutions net>
> >     Date:   Tue Feb 10 21:25:53 2009 +0100
> >
> >       mac80211: RX aggregation: clean up stop session
> >
> > The problem is that the BUG_ON moved before the various checks, and as
> >
> > such can be triggered.
> >
> > As the comment indicates, the BUG_ON can be removed since the
> > ampdu_action callback must already exist when the state is
> > OPERATIONAL.
> >
> > A similar code path leads to a WARN_ON in
> > ieee80211_stop_tx_ba_session,
> > which can also be removed."
> >
> > Btw, FYI, there's another issue that was also introduced by the same
> > code shuffling patch (commit d75636ef) but was fixed in another patch
> >
> > (commit 827d42c9). It was assigned with CVE-2009-4026.
>
> Hi Eugene,
>
> I can't parse this. Can you help me understand.
>
> What are the two issues the subject speaks of? Is the "similar code path"
> paragraph of importance?

Actually, you can ignore this request. So what happened was that, there 
were actually two patches for this, but Johannes combined them together 
when he shared the fix with us. So, this is part of the fixes for 
CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9.

Hope this clears up the confusion!

Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team