CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)
This commit is contained in:
parent
41237e1e4b
commit
ee54dc10fd
|
@ -0,0 +1,31 @@
|
|||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Fri, 1 May 2015 22:02:47 -0400
|
||||
Subject: [PATCH] ipv4: Missing sk_nulls_node_init() in ping_unhash().
|
||||
|
||||
If we don't do that, then the poison value is left in the ->pprev
|
||||
backlink.
|
||||
|
||||
This can cause crashes if we do a disconnect, followed by a connect().
|
||||
|
||||
Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Reported-by: Wen Xu <hotdog3645@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ping.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index 208d5439e59b..787b0d699969 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
|
||||
if (sk_hashed(sk)) {
|
||||
write_lock_bh(&ping_table.lock);
|
||||
hlist_nulls_del(&sk->sk_nulls_node);
|
||||
+ sk_nulls_node_init(&sk->sk_nulls_node);
|
||||
sock_put(sk);
|
||||
isk->inet_num = 0;
|
||||
isk->inet_sport = 0;
|
||||
--
|
||||
2.3.6
|
||||
|
|
@ -652,6 +652,9 @@ Patch26192: blk-loop-avoid-too-many-pending-per-work-IO.patch
|
|||
#rhbz 1206036 1215989
|
||||
Patch26193: toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
|
||||
|
||||
#CVE-2015-3636 rhbz 1218074 1218110
|
||||
Patch26194: ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1418,6 +1421,8 @@ ApplyPatch blk-loop-avoid-too-many-pending-per-work-IO.patch
|
|||
#rhbz 1206036 1215989
|
||||
ApplyPatch toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
|
||||
|
||||
#CVE-2015-3636 rhbz 1218074 1218110
|
||||
ApplyPatch ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2269,6 +2274,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue May 05 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)
|
||||
|
||||
* Thu Apr 30 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix backlight on various Toshiba machines (rhbz 1206036 1215989)
|
||||
|
||||
|
|
Loading…
Reference in New Issue