Fix CVE-2017-8824 (rhbz 1519591 1520764)
This commit is contained in:
Jeremy Cline
parent
7902241715
commit
33a5b3ed6e
|
|
@ -0,0 +1,43 @@
|
|||
From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <69c64866ce072dea1d1e59a0d61e0f66c0dffb76.1513103764.git.jeremy@jcline.org>
|
||||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Tue, 5 Dec 2017 20:58:35 +0000
|
||||
Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
|
||||
|
||||
Whenever the sock object is in DCCP_CLOSED state,
|
||||
dccp_disconnect() must free dccps_hc_tx_ccid and
|
||||
dccps_hc_rx_ccid and set to NULL.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/dccp/proto.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
|
||||
index b68168fcc06a..9d43c1f40274 100644
|
||||
--- a/net/dccp/proto.c
|
||||
+++ b/net/dccp/proto.c
|
||||
@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
|
||||
{
|
||||
struct inet_connection_sock *icsk = inet_csk(sk);
|
||||
struct inet_sock *inet = inet_sk(sk);
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
int err = 0;
|
||||
const int old_state = sk->sk_state;
|
||||
|
||||
@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
|
||||
sk->sk_err = ECONNRESET;
|
||||
|
||||
dccp_clear_xmit_timers(sk);
|
||||
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
|
||||
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
|
||||
+ dp->dccps_hc_rx_ccid = NULL;
|
||||
+ dp->dccps_hc_tx_ccid = NULL;
|
||||
|
||||
__skb_queue_purge(&sk->sk_receive_queue);
|
||||
__skb_queue_purge(&sk->sk_write_queue);
|
||||
--
|
||||
2.14.3
|
||||
|
||||
|
|
@ -626,8 +626,8 @@ Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch
|
|||
|
||||
# 500 - Temp fixes/CVEs etc
|
||||
|
||||
# rhbz 1498016 1498017
|
||||
#Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch
|
||||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
|
|
@ -2207,6 +2207,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Dec 12 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix CVE-2017-8824 (rhbz 1519591 1520764)
|
||||
|
||||
* Mon Dec 11 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Re-fix USB null pointer dereference on ThinkPad X1 (rhbz 1462175)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue