From 90333c2ecd532380008d7023040da00bfd895c3c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Apr 2014 07:38:57 -0400 Subject: [PATCH] CVE-2014-2851 net ipv4 ping refcount issue in ping_init_sock (rhbz 1086730 1087420) --- kernel.spec | 11 +++- ...group_info-should-be-put-after-using.patch | 64 +++++++++++++++++++ 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 net-ipv4-current-group_info-should-be-put-after-using.patch diff --git a/kernel.spec b/kernel.spec index dfb6d1c02..e594fe1e6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -713,6 +713,9 @@ Patch25062: 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch #rhbz 1074235 Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch +#CVE-2014-2851 rhbz 1086730 1087420 +Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch + # END OF PATCH DEFINITIONS %endif @@ -1391,6 +1394,9 @@ ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch #rhbz 1074235 ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch +#CVE-2014-2851 rhbz 1086730 1087420 +ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch + # END OF PATCH APPLICATIONS %endif @@ -2203,7 +2209,10 @@ fi # ||----w | # || || %changelog -* Sat Apr 12 2013 Josh Boyer +* Mon Apr 14 2014 Josh Boyer +- CVE-2014-2851 net ipv4 ping refcount issue in ping_init_sock (rhbz 1086730 1087420) + +* Sat Apr 12 2014 Josh Boyer - Linux v3.14.1-rc1 * Thu Dec 12 2013 Justin M. Forbes - 3.12.5-1 diff --git a/net-ipv4-current-group_info-should-be-put-after-using.patch b/net-ipv4-current-group_info-should-be-put-after-using.patch new file mode 100644 index 000000000..265b3839b --- /dev/null +++ b/net-ipv4-current-group_info-should-be-put-after-using.patch @@ -0,0 +1,64 @@ +Bugzilla: 1087420 +Upstream-status: Queued for 3.15 and stable + +From b04c46190219a4f845e46a459e3102137b7f6cac Mon Sep 17 00:00:00 2001 +From: "Wang, Xiaoming" +Date: Mon, 14 Apr 2014 12:30:45 -0400 +Subject: net: ipv4: current group_info should be put after using. + +Plug a group_info refcount leak in ping_init. +group_info is only needed during initialization and +the code failed to release the reference on exit. +While here move grabbing the reference to a place +where it is actually needed. + +Signed-off-by: Chuansheng Liu +Signed-off-by: Zhang Dongxing +Signed-off-by: xiaoming wang +Signed-off-by: David S. Miller + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index f4b19e5..8210964 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk) + { + struct net *net = sock_net(sk); + kgid_t group = current_egid(); +- struct group_info *group_info = get_current_groups(); +- int i, j, count = group_info->ngroups; ++ struct group_info *group_info; ++ int i, j, count; + kgid_t low, high; ++ int ret = 0; + + inet_get_ping_group_range_net(net, &low, &high); + if (gid_lte(low, group) && gid_lte(group, high)) + return 0; + ++ group_info = get_current_groups(); ++ count = group_info->ngroups; + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); + for (j = 0; j < cp_count; j++) { + kgid_t gid = group_info->blocks[i][j]; + if (gid_lte(low, gid) && gid_lte(gid, high)) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + EXPORT_SYMBOL_GPL(ping_init_sock); + +-- +cgit v0.10.1 +