Linux v4.13.13
This commit is contained in:
parent
fe6b94d468
commit
5bd783b4f1
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 12
|
||||
%define stable_update 13
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -640,6 +640,9 @@ Patch332: arm64-cavium-fixes.patch
|
|||
# CVE-2017-7477 rhbz 1445207 1445208
|
||||
Patch502: CVE-2017-7477.patch
|
||||
|
||||
# CVE-2017-15115 rhbz 1513346 1513345
|
||||
Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
|
||||
|
@ -2283,6 +2286,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Nov 15 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.13-200
|
||||
- Linux v4.13.13
|
||||
- Fix CVE-2017-15115 (rhbz 1513346 1513345)
|
||||
|
||||
* Wed Nov 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Add fix for vc4 interupts
|
||||
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Long <lucien.xin@gmail.com>
|
||||
Date: Tue, 17 Oct 2017 23:26:10 +0800
|
||||
Subject: sctp: do not peel off an assoc from one netns to another one
|
||||
|
||||
Now when peeling off an association to the sock in another netns, all
|
||||
transports in this assoc are not to be rehashed and keep use the old
|
||||
key in hashtable.
|
||||
|
||||
As a transport uses sk->net as the hash key to insert into hashtable,
|
||||
it would miss removing these transports from hashtable due to the new
|
||||
netns when closing the sock and all transports are being freeed, then
|
||||
later an use-after-free issue could be caused when looking up an asoc
|
||||
and dereferencing those transports.
|
||||
|
||||
This is a very old issue since very beginning, ChunYu found it with
|
||||
syzkaller fuzz testing with this series:
|
||||
|
||||
socket$inet6_sctp()
|
||||
bind$inet6()
|
||||
sendto$inet6()
|
||||
unshare(0x40000000)
|
||||
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
|
||||
getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
|
||||
|
||||
This patch is to block this call when peeling one assoc off from one
|
||||
netns to another one, so that the netns of all transport would not
|
||||
go out-sync with the key in hashtable.
|
||||
|
||||
Note that this patch didn't fix it by rehashing transports, as it's
|
||||
difficult to handle the situation when the tuple is already in use
|
||||
in the new netns. Besides, no one would like to peel off one assoc
|
||||
to another netns, considering ipaddrs, ifaces, etc. are usually
|
||||
different.
|
||||
|
||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index d4730ad..17841ab 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
|
||||
struct socket *sock;
|
||||
int err = 0;
|
||||
|
||||
+ /* Do not peel off from one netns to another one. */
|
||||
+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!asoc)
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
|
||||
SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
|
||||
SHA512 (patch-4.13.12.xz) = 6ae0b61bcd62b2e90b8ef3e1030fa874aba95317ec559d6e72cbd83a21b3894c05210d2da137f7b4db063d7de52193260b2364ceb43538ab8cd1db78070efb34
|
||||
SHA512 (patch-4.13.13.xz) = 27966bedc01ef5e2d023ee0b91224ca5ab3c5019f431305a9daa62b3acddf80e4e4c201ec47ca06243aba7778810d5ecb95e9d115e15935153a4a5d061af3fac
|
||||
|
|
Loading…
Reference in New Issue