CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626)

kernel.spec

@@ -625,6 +625,9 @@ Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
 #CVE-2016-4440 rhbz 1337806 1337807
 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
 
+#CVE-2016-4951 rhbz 1338625 1338626
+Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2150,6 +2153,9 @@ fi
 #
 # 
 %changelog
+* Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626)
+
 * Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807)
 

tipc-check-nl-sock-before-parsing-nested-attributes.patch

@@ -0,0 +1,36 @@
+From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: [PATCH] tipc: check nl sock before parsing nested attributes
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 12628890c219..3b7a79991d55 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ 		if (err)
+ 			return err;
+ 
++		if (!attrs[TIPC_NLA_SOCK])
++			return -EINVAL;
++
+ 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ 				       attrs[TIPC_NLA_SOCK],
+ 				       tipc_nl_sock_policy);
+-- 
+2.5.5
+