Bug#309308: marked as done (kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets)
Your message dated Wed, 14 Dec 2005 19:47:25 -0800
with message-id <E1Emk5V-0006BL-HB@spohr.debian.org>
and subject line Bug#309308: fixed in kernel-source-2.6.8 2.6.8-16sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 May 2005 09:27:14 +0000
>From peter.sandstrom@jajja.com Mon May 16 02:27:14 2005
Return-path: <peter.sandstrom@jajja.com>
Received: from master.debian.org [146.82.138.7]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DXbsX-0003BB-00; Mon, 16 May 2005 02:27:13 -0700
Received: from ([127.0.0.1]) [217.212.246.126]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DXbsW-0003eV-00; Mon, 16 May 2005 04:27:12 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Peter Sandstrom <peter.sandstrom@jajja.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-image-2.6.8-2-686-smp: null pointer oops on udp packets
X-Mailer: reportbug 3.8
Date: Mon, 16 May 2005 11:26:56 +0200
X-Debbugs-Cc: peter.sandstrom@jajja.com
Message-Id: <E1DXbsW-0003eV-00@master.debian.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-9.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
OUR_MTA_MSGID,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kernel-image-2.6.8-2-686-smp
Version: 2.6.8-13
Severity: critical
Tags: security
Justification: breaks the whole system
kernel oops while trying to do a snmpwalk from a remote host. the entire
udp stack becomes unresponsive and reboot fails when trying to bring
down network interfaces. unsure if this is exploitable for a DoS attack,
will investigate further when i have time if this not a know issue.
0000:01:01.0 Ethernet controller: Intel Corp. 82547GI Gigabit Ethernet
Controller
0000:03:02.0 Ethernet controller: Intel Corp. 82541GI/PI Gigabit
Ethernet Controller
vlan tagging is in use on the interface that recieves the udp packet
that causes the oops.
Unable to handle kernel NULL pointer dereference at virtual address
00000000
printing eip:
f89f64f2
*pde = 00000000
Oops: 0000 [#1]
PREEMPT SMP
Modules linked in: deflate zlib_deflate twofish serpent aes_i586
blowfish des sha256 sha1 crypto_null af_key tun ipv6 8021q dm_mod
capability commoncap e1000 genrtc ext3 jbd mbcache sd_mod ata_piix
libata scsi_mod unix font vesafb cfbcopyarea cfbimgblt cfbfillrect
CPU: 1
EIP: 0060:[<f89f64f2>] Not tainted
EFLAGS: 00010a86 (2.6.8-2-686-smp)
EIP is at e1000_shift_out_mdi_bits+0x22/0xa0 [e1000]
eax: ffffffff ebx: 80000000 ecx: 0000001f edx: 00000000
esi: f77f3c10 edi: f74bbe6c ebp: ffffffff esp: f74bbe64
ds: 007b es: 007b ss: 0068
Process snmpd (pid: 793, threadinfo=f74ba000 task=f505b410)
Stack: c038b124 c01163e7 00000000 00001820 f77f3c10 f74bbee2 f74bbf30
f89f674b
f77f3c10 ffffffff 00000020 f74bbecc f77f3a20 f74bbedc f89f3b3b
f77f3c10
00000000 f74bbee2 f74bbecc f89f3950 f74bbedc f8880ab1 f77f3800
f74bbecc
Call Trace:
[<c01163e7>] smp_apic_timer_interrupt+0xe7/0x160
[<f89f674b>] e1000_read_phy_reg_ex+0xab/0xd0 [e1000]
[<f89f3b3b>] e1000_mii_ioctl+0x1cb/0x1d0 [e1000]
[<f89f3950>] e1000_ioctl+0x0/0x20 [e1000]
[<f8880ab1>] vlan_dev_ioctl+0xc1/0x110 [8021q]
[<c0236944>] dev_ifsioc+0x374/0x3e0
[<c0236b46>] dev_ioctl+0x196/0x320
[<c027f59c>] inet_ioctl+0x9c/0xb0
[<c022b9d9>] sock_ioctl+0x139/0x300
[<c0174d78>] sys_ioctl+0x148/0x2d0
[<c01061fb>] syscall_call+0x7/0xb
Code: 8b 02 0d 00 00 00 03 89 44 24 08 85 db 74 56 eb 0d 90 90 90
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages kernel-image-2.6.8-2-686-smp depends on:
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
ii initrd-tools 0.1.78 tools to create initrd image for p
ii module-init-tools 3.2-pre1-2 tools for managing Linux kernel mo
-- no debconf information
---------------------------------------
Received: (at 309308-close) by bugs.debian.org; 15 Dec 2005 03:51:02 +0000
>From katie@ftp-master.debian.org Wed Dec 14 19:51:02 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Emk5V-0006BL-HB; Wed, 14 Dec 2005 19:47:25 -0800
From: Simon Horman <horms@debian.org>
To: 309308-close@bugs.debian.org
X-Katie: $Revision: 1.60 $
Subject: Bug#309308: fixed in kernel-source-2.6.8 2.6.8-16sarge1
Message-Id: <E1Emk5V-0006BL-HB@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 14 Dec 2005 19:47:25 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: kernel-source-2.6.8
Source-Version: 2.6.8-16sarge1
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
kernel-source-2.6.8_2.6.8-16sarge1.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.dsc
kernel-source-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1_all.deb
kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 309308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.6.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 15 Aug 2005 18:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 309308 311357 317286 321401 322237 322339 323059
Changes:
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
.
[ Dann Frazier ]
* mckinley_icache.dpatch:
[Security] Fix a cache coherency bug unearthed by a new ia64 processor,
codenamed Montecito. This bug causes data corruption that has manifested
itself in kernel hangs and userspace crashes, and causes d-i to fail.
Reference: http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
N.B: I have marked this as security as it seems that it would
be trivial to construct a user-space DoS - Simon Horman.
.
[ Simon Horman ]
# Excluded from security-only release
# * drivers-net-via-rhine-wol-oops.dpatch (removed):
# This patch breaks the via-rhine driver and 2.6.8 and is
# completely bogus for this version of the kernel
# (closes: #311357)
.
* arch-x86_64-kernel-ptrace-boundary-check.dpatch
[Security, x86_64] Don't allow accesses below register frame in ptrace
See CAN-2005-1763.
.
* arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
[Security, x86_64] This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
See CAN-2005-1762
.
* arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
[Security, x86_64] Fix canonical checking for segment registers in ptrace
See CAN-2005-0756
.
* arch-x86_64-kernel-smp-boot-race.dpatch
[Security, x86_64] Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
.
* arch-x86_64-mm-ioremap-page-lookup.dpatch
[Security, x86_64] Don't look up struct page pointer of physical address
in iounmap as it may be in a memory hole not mapped in mem_map and that
causes the hash lookup to go off to nirvana.
.
# Excluded from security-only release
# * drivers-media-vidio-bttv-vc100xp-detect.dpatch
# Allow Leadtek WinFast VC100 XP cards to work.
.
* fs-exec-ptrace-core-exec-race.dpatch
[Security] Fix race between core dumping and exec with shared mm
.
* fs-exec-ptrace-deadlock.dpatch
[Security] Fix coredump_wait deadlock with ptracer & tracee on shared mm
.
* fs-exec-posix-timers-leak-1.dpatch,
[Security] fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
.
* fs-hfs-oops-and-leak.dpatch
[Security] Fix a leak in HFS and HFS+
Fix an oops that occurs when an attempt is made to
mount a non-hfs filesystem as HFS+.
N.B: Marked as security as users may have mount privelages.
.
# Excluded from security-only release
# * fs-jbd-checkpoint-assertion.dpatch
# Fix possible false assertion failure in log_do_checkpoint(). We might fail
# to detect that we actually made a progress when cleaning up the checkpoint
# lists if we don't retry after writing something to disk.
.
* mm-mmap-range-test.dpatch
[Security] Make sure get_unmapped_area sanity tests are done regardless of
wheater MAP_FIXED is set or not.
See CAN-2005-1265
.
# Excluded from security-only release
# * mm-rmap-out-of-bounds-pte.dpatch
# Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
.
* net-bridge-netfilter-etables-smp-race.dpatch
[Security] The patch below fixes an smp race that happens on such
systems under heavy load.
.
Excluded from security-only release
* net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch
Fix oops when mangling and brouting and tcpdumping packets
Needed for net-bridge-forwarding-poison-1.dpatch
.
* net-bridge-forwarding-poison-2.dpatch,
net-bridge-forwarding-poison-2.dpatch:
[Security] Avoid poisoning of the bridge forwarding table by frames that
have been dropped by filtering. This prevents spoofed source addresses on
hostile side of bridge from causing packet leakage, a small but possible
security risk.
.
# Excluded from security-only release
# * net-ipv4-netfilter-ip_queue-deadlock.dpatch
# Fix deadlock with ip_queue and tcp local input path.
.
* [Security] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
.
* sound-usb-usbaudio-unplug-oops.dpatch
[Security] Prevent oops & dead keyboard on usb unplugging while the device
is being used.
.
* net-ipv4-ipvs-conn_tab-race.dpatch
[Security] Fix race condition on ip_vs_conn_tab list modification
.
# Excluded from security-only release
# * asm-i386-mem-clobber.dpatch:
# Make sure gcc doesn't reorder memory accesses in strncmp and friends on
# i386.
.
# Excluded from security-only release
# * drivers-acpi-pci_irq-elcr.dpatch:
# Make sure we call acpi_register_gsi() even for default PCI interrupt
# assignment. That's the part that keeps track of the ELCR register, and we
# want to make sure that the PCI interrupts are properly marked level/low.
.
* asm-i386-mem-clobber.dpatch:
Make sure netlink_autobind() propagates the error return from
netlink_insert(). Otherwise, callers will not see the error as they
should and thus try to operate on a socket with a zero pid, which is very
bad.
.
* fs-ext3-64bit-offset.dpatch
[Security] Incorrect offset checks for ext3 xattr on 64 bit architectures
an lead to a local DoS.
See CAN-2005-0757. (see: #311164).
.
* arch-x86_64-mm-mmap.dpatch
[Security, x86_64] Compat mode program can hang kernel
See CAN-2005-1765.
.
* arch-ia64-ptrace-getregs-putregs.dpatch
[Security, ia64] Fix unchecked user-memory accesses in ptrage_getregs()
and ptrace_setregs.
.
* arch-ia64-ptrace-restore_sigcontext.dpatch
[Security, ia64] Fix to prevent users from using ptrace to set the pl field
of the ar.rsc reginster to any value, leading to the
ability to overwrite kernel memory.
Note, this patch requires the arch-ia64-ptrace-getregs-putregs.dpatch
patch to apply cleanly.
See CAN-2005-1761.
.
# Excluded from security-only release
# * Makefile-gcc-3.3.dpatch, control
# Build with gcc-3.3, as gcc-4.0, now the dedault in unstable,
# fails to build this source. As this tree is primarily
# intended for use with sarge, there seems little point
# in putting in gcc-4.0 fixes, but at the same time,
# there is some value in being able to use it with unstable.
# (Closes: #323059)
.
[ dann frazier ]
* Merge in applicable fixes from 2.6.12.3
- [Security] ppc32-time_offset-misuse.dpatch
# Excluded from security-only release - v4l-cx88-hue-offset-fix.dpatch
# Excluded from security-only release - tty_ldisc_ref-return-null-check.dpatch
.
* Merge in applicable fixes from 2.6.12.4
- [Security] netfilter-NAT-memory-corruption.dpatch
# Excluded from security-only release - netfilter-deadlock-ip6_queue.dpatch
- [Security] ipsec-array-overflow.dpatch See CAN-2005-2456
(See: #321401) (Closes: #321401)
- [Security] netfilter-ip_conntrack_untracked-refcount.dpatch
- [Security] sys_get_thread_area-leak.dpatch
# Excluded from security-only release - rocket_c-fix-ldisc-ref-count.dpatch
# Excluded from security-only release - early-vlan-fix.dpatch
.
[ Simon Horman ]
* fs_ext2_ext3_xattr-sharing.dpatch
[Security] Xattr sharing bug
See http://lists.debian.org/debian-kernel/2005/08/msg00238.html
.
* vlan-mii-ioctl.dpatch
[Security] MII ioctl pass through was passing the wrong device.
See http://lists.osdl.org/pipermail/bridge/2004-September/000638.html
See CAN-2005-2548 (Closes: #309308)
.
* fs-sysfs-read-write-race.dpatch
[Security] Fix race in sysfs_read_file() and sysfs_write_file()
that can lead to a user-space DoS.
See CAN-2004-2302 (Closes: #322339)
.
* net-ipv4-netfilter-ip_recent-last_pkts.dpatch
[Security] Fixes remote DoS when using ipt_recent on a 64 bit machine.
(Closes: #322237)
.
# Excluded from security-only release
# * drivers-sata-promise-sataii_tx2_tx4.dpatch
# Add SATAII TX2 and TX2/TX4 support to sata promise driver
# (Closes: #317286)
.
[ Frederik Schüler ]
* arch-x86_64-mm-ioremap-page-lookup-fix.dpatch
Add build fix for arch-x86_64-mm-ioremap-page-lookup.dpatch
.
[ Simon Horman ]
* arch-x86_64-kernel-stack-faults.dpatch
arch-x86_64-nmi.dpatch
arch-x86_64-private-tss.dpatch
[Security, x86_64] Disable exception stack for stack faults
See CAN-2005-1767
.
* linux-zlib-fixes.dpatch
[Security] Fix security bugs in the Linux zlib implementations.
See CAN-2005-2458, CAN-2005-2459
From 2.6.12.5
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi?id=94584
.
# Excluded from security-only release
# * zisofs.dpatch
# Check input buffer size in zisofs
# From 2.6.12.5
.
# Excluded from security-only release
# * module-per-cpu-alignment-fix.dpatch
# Module per-cpu alignment cannot always be met
# From 2.6.12.5
Files:
37a61dc966c032d1529e2c2a524c9cfa 1001 devel optional kernel-source-2.6.8_2.6.8-16sarge1.dsc
cd72f4d2eb2309a2d77d2ec7a3471c7c 961237 devel optional kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
309f32838373e76c9b61be0e6c191252 1007230 devel optional kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
65dca34768d7aa10074845d9b2f20431 34934446 devel optional kernel-source-2.6.8_2.6.8-16sarge1_all.deb
5b04fd03ede3ae235a03624dc53e2026 32120 devel optional kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
b7388d2256a4396d2da938a687b3ab9b 6179472 doc optional kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoOUqA8ACPgVBDpcRAswmAKCuyLvQggukJ2gYUkzc/zwzx8/jLwCgnuwK
tCrTzKYPUDtdLwcJpcDYHjg=
=cfl6
-----END PGP SIGNATURE-----
Reply to: