Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 2 Dec 2009 08:40:21 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: mac80211: fix two remote
 exploits


----- "Eugene Teo" <eugeneteo@...nel.sg> wrote:

> http://git.kernel.org/linus/4253119acf412fd686ef4bd8749b5a4d70ea3a51
> 
> "Lennert Buytenhek noticed a remotely triggerable problem in mac80211,
> 
> which is due to some code shuffling I did that ended up changing the 
> order in which things were done -- this was in
> 
>    commit d75636ef9c1af224f1097941879d5a8db7cd04e5
>    Author: Johannes Berg <johannes@...solutions.net>
>    Date:   Tue Feb 10 21:25:53 2009 +0100
> 
>      mac80211: RX aggregation: clean up stop session
> 
> The problem is that the BUG_ON moved before the various checks, and as
> 
> such can be triggered.
> 
> As the comment indicates, the BUG_ON can be removed since the 
> ampdu_action callback must already exist when the state is
> OPERATIONAL.
> 
> A similar code path leads to a WARN_ON in
> ieee80211_stop_tx_ba_session, 
> which can also be removed."
> 
> Btw, FYI, there's another issue that was also introduced by the same 
> code shuffling patch (commit d75636ef) but was fixed in another patch
> 
> (commit 827d42c9). It was assigned with CVE-2009-4026.
> 

Hi Eugene,

I can't parse this. Can you help me understand.

What are the two issues the subject speaks of? Is the "similar code path"
paragraph of importance?

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.