Linux v4.13.13

3 files changed, 71 insertions, 2 deletions

diff --git a/kernel.spec b/kernel.spec
index bf7716ec2..e3217d68b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -640,6 +640,9 @@ Patch332: arm64-cavium-fixes.patch
 # CVE-2017-7477 rhbz 1445207 1445208
 Patch502: CVE-2017-7477.patch
 
+# CVE-2017-15115 rhbz 1513346 1513345
+Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
 Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
@@ -2283,6 +2286,10 @@ fi
 #
 #
 %changelog
+* Wed Nov 15 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.13-200
+- Linux v4.13.13
+- Fix CVE-2017-15115 (rhbz 1513346 1513345)
+
 * Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
 - Add fix for vc4 interupts
 
diff --git a/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch b/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
new file mode 100644
index 000000000..d44f6cc28
--- /dev/null
+++ b/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
@@ -0,0 +1,62 @@
+From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 17 Oct 2017 23:26:10 +0800
+Subject: sctp: do not peel off an assoc from one netns to another one
+
+Now when peeling off an association to the sock in another netns, all
+transports in this assoc are not to be rehashed and keep use the old
+key in hashtable.
+
+As a transport uses sk->net as the hash key to insert into hashtable,
+it would miss removing these transports from hashtable due to the new
+netns when closing the sock and all transports are being freeed, then
+later an use-after-free issue could be caused when looking up an asoc
+and dereferencing those transports.
+
+This is a very old issue since very beginning, ChunYu found it with
+syzkaller fuzz testing with this series:
+
+  socket$inet6_sctp()
+  bind$inet6()
+  sendto$inet6()
+  unshare(0x40000000)
+  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
+  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
+
+This patch is to block this call when peeling one assoc off from one
+netns to another one, so that the netns of all transport would not
+go out-sync with the key in hashtable.
+
+Note that this patch didn't fix it by rehashing transports, as it's
+difficult to handle the situation when the tuple is already in use
+in the new netns. Besides, no one would like to peel off one assoc
+to another netns, considering ipaddrs, ifaces, etc. are usually
+different.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index d4730ad..17841ab 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ 	struct socket *sock;
+ 	int err = 0;
+ 
++	/* Do not peel off from one netns to another one. */
++	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
++		return -EINVAL;
++
+ 	if (!asoc)
+ 		return -EINVAL;
+ 
+-- 
+cgit v1.1
+
diff --git a/sources b/sources
index 4f9960f5e..3d7cfe0c0 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13.12.xz) = 6ae0b61bcd62b2e90b8ef3e1030fa874aba95317ec559d6e72cbd83a21b3894c05210d2da137f7b4db063d7de52193260b2364ceb43538ab8cd1db78070efb34
+SHA512 (patch-4.13.13.xz) = 27966bedc01ef5e2d023ee0b91224ca5ab3c5019f431305a9daa62b3acddf80e4e4c201ec47ca06243aba7778810d5ecb95e9d115e15935153a4a5d061af3fac