diff options
Diffstat (limited to 'tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch')
| -rw-r--r-- | tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch | 46 |
1 files changed, 0 insertions, 46 deletions
diff --git a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch deleted file mode 100644 index 36ada7acf..000000000 --- a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: 2016-08-17 12:56:26 -Subject: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() - -When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the -tail of the write queue using tcp_add_write_queue_tail() - -Then it attempts to copy user data into this fresh skb. - -If the copy fails, we undo the work and remove the fresh skb. - -Unfortunately, this undo lacks the change done to tp->highest_sack and -we can leave a dangling pointer (to a freed skb) - -Later, tcp_xmit_retransmit_queue() can dereference this pointer and -access freed memory. For regular kernels where memory is not unmapped, -this might cause SACK bugs because tcp_highest_sack_seq() is buggy, -returning garbage instead of tp->snd_nxt, but with various debug -features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. - -This bug was found by Marco Grassi thanks to syzkaller. - -Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") -Reported-by: Marco Grassi <marco.gra@gmail.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Neal Cardwell <ncardwell@google.com> ---- - include/net/tcp.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index c00e7d51bb18..7717302cab91 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli - { - if (sk->sk_send_head == skb_unlinked) - sk->sk_send_head = NULL; -+ if (tcp_sk(sk)->highest_sack == skb_unlinked) -+ tcp_sk(sk)->highest_sack = NULL; - } - - static inline void tcp_init_send_head(struct sock *sk) - |