diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-11-15 18:34:28 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-11-15 18:34:28 +0100 |
commit | 4b70448f328a7837a0aa925e6cd17567a8baf033 (patch) | |
tree | 2ba858500d07a98a11941fd2030e86a6757d3899 | |
parent | af87d46478413b964d11886b6fdf2d98d76266ea (diff) | |
parent | 5bd783b4f12ad6beddfcb67a1986c3596ee4b63a (diff) | |
download | kernel-4b70448f328a7837a0aa925e6cd17567a8baf033.tar.gz kernel-4b70448f328a7837a0aa925e6cd17567a8baf033.tar.xz kernel-4b70448f328a7837a0aa925e6cd17567a8baf033.zip |
Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora
-rw-r--r-- | kernel.spec | 7 | ||||
-rw-r--r-- | sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch | 62 | ||||
-rw-r--r-- | sources | 2 |
3 files changed, 70 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec index d330df934..8d6420c81 100644 --- a/kernel.spec +++ b/kernel.spec @@ -657,6 +657,9 @@ Patch332: arm64-cavium-fixes.patch # CVE-2017-7477 rhbz 1445207 1445208 Patch502: CVE-2017-7477.patch +# CVE-2017-15115 rhbz 1513346 1513345 +Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch + # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch @@ -2303,6 +2306,10 @@ fi # # %changelog +* Wed Nov 15 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.13-200 +- Linux v4.13.13 +- Fix CVE-2017-15115 (rhbz 1513346 1513345) + * Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org> - Add fix for vc4 interupts diff --git a/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch b/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch new file mode 100644 index 000000000..d44f6cc28 --- /dev/null +++ b/sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch @@ -0,0 +1,62 @@ +From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Tue, 17 Oct 2017 23:26:10 +0800 +Subject: sctp: do not peel off an assoc from one netns to another one + +Now when peeling off an association to the sock in another netns, all +transports in this assoc are not to be rehashed and keep use the old +key in hashtable. + +As a transport uses sk->net as the hash key to insert into hashtable, +it would miss removing these transports from hashtable due to the new +netns when closing the sock and all transports are being freeed, then +later an use-after-free issue could be caused when looking up an asoc +and dereferencing those transports. + +This is a very old issue since very beginning, ChunYu found it with +syzkaller fuzz testing with this series: + + socket$inet6_sctp() + bind$inet6() + sendto$inet6() + unshare(0x40000000) + getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() + getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF() + +This patch is to block this call when peeling one assoc off from one +netns to another one, so that the netns of all transport would not +go out-sync with the key in hashtable. + +Note that this patch didn't fix it by rehashing transports, as it's +difficult to handle the situation when the tuple is already in use +in the new netns. Besides, no one would like to peel off one assoc +to another netns, considering ipaddrs, ifaces, etc. are usually +different. + +Reported-by: ChunYu Wang <chunwang@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index d4730ad..17841ab 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + struct socket *sock; + int err = 0; + ++ /* Do not peel off from one netns to another one. */ ++ if (!net_eq(current->nsproxy->net_ns, sock_net(sk))) ++ return -EINVAL; ++ + if (!asoc) + return -EINVAL; + +-- +cgit v1.1 + @@ -1,3 +1,3 @@ SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 -SHA512 (patch-4.13.12.xz) = 6ae0b61bcd62b2e90b8ef3e1030fa874aba95317ec559d6e72cbd83a21b3894c05210d2da137f7b4db063d7de52193260b2364ceb43538ab8cd1db78070efb34 +SHA512 (patch-4.13.13.xz) = 27966bedc01ef5e2d023ee0b91224ca5ab3c5019f431305a9daa62b3acddf80e4e4c201ec47ca06243aba7778810d5ecb95e9d115e15935153a4a5d061af3fac |