oss-sec mailing list archives

Re: CVE request: kernel: mac80211: fix two remote exploits

From: Eugene Teo <eugene () redhat com>
Date: Thu, 03 Dec 2009 09:06:02 +0800

On 12/02/2009 11:41 PM, Steven M. Christey wrote:


On Wed, 2 Dec 2009, Eugene Teo wrote:

Actually, you can ignore this request. So what happened was that, there
were actually two patches for this, but Johannes combined them together
when he shared the fix with us. So, this is part of the fixes for
CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9.


The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but
doesn't actually link these two CVEs to any specific fix/issue:

   https://bugzilla.redhat.com/show_bug.cgi?id=541149

We associated CVE-2009-4026 with commit
827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027
with commit d92684e66091c0f0101819619b315b4bb8b5bcc5.

Here is the logic chain that we had to follow in order to perform this
association.

   The History section of 541149 indicates that this "mac80211: fix
   spurious delBA handling" bug was assigned both CVE-2009-4026 and
   CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo.
   The fix for the bug is in commit
   827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in
   oss-security/2009/12/01/2, the portion of this bug that was introduced
   by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is
   CVE-2009-4026. Therefore, the portion of the bug that was introduced by
   the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is
   CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit
   message says "The first problem is that I moved a BUG_ON before various
   checks -- thereby making it possible to hit. As the comment indicates,
   the BUG_ON can be removed since the ampdu_action callback must already
   exist when the state is != IDLE." However, apparently no part of the
   diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo
   sent a "CVE request: kernel: mac80211: fix two remote exploits"
   oss-security message. The fix for this additional vulnerability is in
   commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix
   is removal of calls to BUG_ON and WARN_ON.


Hi Steve,

The two CVE names were assigned when this issue was reported invendor-sec (forwarded you the email; I should have cc'ed you but Imissed it, sorry). When it was reported, the reporter combined twopatches into one, but the upstream committed them in two separatepatches: upstream commits 4253119a and 827d42c9.

There are two issues in commit 827d42c9. The first issue (problem) wasassigned CVE-2009-4026, and the second issue (problem) was assignedCVE-2009-4027. Commit 4253119a should be associated with CVE-2009-4026because the fix is also for an issue that was introduced by d75636ef(which is related to the first issue).


Commits 4253119a and 827d42c9 (first problem) = CVE-2009-4026
Commit 827d42c9 (second problem) = CVE-2009-4027

Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team

Current thread:

CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Nov 30)
- Re: CVE request: kernel: mac80211: fix two remote exploits Josh Bressers (Dec 02)
  - Re: CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Dec 02)
    - Re: CVE request: kernel: mac80211: fix two remote exploits Steven M. Christey (Dec 02)
    - Re: CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Dec 02)