diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-24 07:35:04 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-24 07:35:04 +0100 |
commit | 5ab181c7cff76023ed0c35caee09eb969ab1524b (patch) | |
tree | d5a2de6c934088484b533b3694af8ef505eb2497 | |
parent | 2b02c2c154ae53bcb6646efce5acf0c40f4e7529 (diff) | |
parent | 0a79c585b4824d209ec395765e8837bc675396f6 (diff) | |
download | kernel-4.9.12-200.vanilla.knurd.1.fc25.tar.gz kernel-4.9.12-200.vanilla.knurd.1.fc25.tar.xz kernel-4.9.12-200.vanilla.knurd.1.fc25.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.9.12-200.vanilla.knurd.1.fc25
-rw-r--r-- | dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 | ||||
-rw-r--r-- | kernel.spec | 11 | ||||
-rw-r--r-- | sources | 2 |
3 files changed, 58 insertions, 2 deletions
diff --git a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch new file mode 100644 index 000000000..433fd4b2b --- /dev/null +++ b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch @@ -0,0 +1,47 @@ +From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <andreyknvl@google.com> +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov <andreyknvl@google.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba34718..8fedc2d 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; +-- +cgit v0.12 + diff --git a/kernel.spec b/kernel.spec index d0f47f820..358cf1446 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -663,6 +663,9 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch #rhbz 1422969 Patch862: rt2800-warning.patch +#CVE-2017-6074 +Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch + # END OF PATCH DEFINITIONS %endif @@ -2213,6 +2216,12 @@ fi # # %changelog +* Thu Feb 23 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.12-200 +- Linux v4.9.12 + +* Wed Feb 22 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-6074 DCCP double-free vulnerability + * Mon Feb 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.11-200 - Linux v4.9.11 - Fix rt2800 warning (rhbz 1422969) @@ -1,3 +1,3 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.9.11.xz) = 7683628b011fa1462b5838301ebabc3eebaefcd50f65600be55bcf0102578ca07589c7683ef84b8d5300bd05795655fb21e1c145f5663d30593fc1801c163bc3 +SHA512 (patch-4.9.12.xz) = 52314315fe960b3b4b11021a5a8a6271bd8a7e3f9f63cd983f72cf7585ac95408872ab48074d2cd578d681a64e10607ba69157a3fed14663736f20c5c2a78b0a |