Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Dec 2009 08:40:21 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: mac80211: fix two remote
 exploits


----- "Eugene Teo" <eugeneteo@...nel.sg> wrote:

> http://git.kernel.org/linus/4253119acf412fd686ef4bd8749b5a4d70ea3a51
> 
> "Lennert Buytenhek noticed a remotely triggerable problem in mac80211,
> 
> which is due to some code shuffling I did that ended up changing the 
> order in which things were done -- this was in
> 
>    commit d75636ef9c1af224f1097941879d5a8db7cd04e5
>    Author: Johannes Berg <johannes@...solutions.net>
>    Date:   Tue Feb 10 21:25:53 2009 +0100
> 
>      mac80211: RX aggregation: clean up stop session
> 
> The problem is that the BUG_ON moved before the various checks, and as
> 
> such can be triggered.
> 
> As the comment indicates, the BUG_ON can be removed since the 
> ampdu_action callback must already exist when the state is
> OPERATIONAL.
> 
> A similar code path leads to a WARN_ON in
> ieee80211_stop_tx_ba_session, 
> which can also be removed."
> 
> Btw, FYI, there's another issue that was also introduced by the same 
> code shuffling patch (commit d75636ef) but was fixed in another patch
> 
> (commit 827d42c9). It was assigned with CVE-2009-4026.
> 

Hi Eugene,

I can't parse this. Can you help me understand.

What are the two issues the subject speaks of? Is the "similar code path"
paragraph of importance?

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ