[arch-commits] Commit in linux-lts/trunk (2 files)

Andreas Radke andyrtr at archlinux.org
Thu Feb 23 17:22:41 UTC 2017 

    Date: Thursday, February 23, 2017 @ 17:22:40
  Author: andyrtr
Revision: 289441

upgpkg: linux-lts 4.4.50-2

apply fix for CVE-2017-6074

Added:
  linux-lts/trunk/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
Modified:
  linux-lts/trunk/PKGBUILD

----------------------------------------------------------------+
 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch |   47 ++++++++++
 PKGBUILD                                                       |   11 +-
 2 files changed, 55 insertions(+), 3 deletions(-)

Added: 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
===================================================================
--- 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch	                        (rev 0)
+++ 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch	2017-02-23 17:22:40 UTC (rev 289441)
@@ -0,0 +1,47 @@
+From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Thu, 16 Feb 2017 17:22:46 +0100
+Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO
+
+In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
+is forcibly freed via __kfree_skb in dccp_rcv_state_process if
+dccp_v6_conn_request successfully returns.
+
+However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
+is saved to ireq->pktopts and the ref count for skb is incremented in
+dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
+in dccp_rcv_state_process.
+
+Fix by calling consume_skb instead of doing goto discard and therefore
+calling __kfree_skb.
+
+Similar fixes for TCP:
+
+fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
+0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
+simply consumed
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dccp/input.c b/net/dccp/input.c
+index ba347184bda9b3fe..8fedc2d497709b3d 100644
+--- a/net/dccp/input.c
++++ b/net/dccp/input.c
+@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
+ 								    skb) < 0)
+ 				return 1;
+-			goto discard;
++			consume_skb(skb);
++			return 0;
+ 		}
+ 		if (dh->dccph_type == DCCP_PKT_RESET)
+ 			goto discard;
+-- 
+2.11.1
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-02-23 16:50:03 UTC (rev 289440)
+++ PKGBUILD	2017-02-23 17:22:40 UTC (rev 289441)
@@ -5,7 +5,7 @@
 #pkgbase=linux-lts-custom
 _srcname=linux-4.4
 pkgver=4.4.50
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64')
 url="https://www.kernel.org/"
 license=('GPL2')
@@ -20,7 +20,8 @@
         # standard config files for mkinitcpio ramdisk
         linux-lts.preset
         change-default-console-loglevel.patch
-        0001-sdhci-revert.patch)
+        0001-sdhci-revert.patch
+        0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch)
 # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2'
             'SKIP'
@@ -31,7 +32,8 @@
             '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
             '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0'
             '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99'
-            '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375')
+            '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375'
+            '85954ac18da9dc1bec5df28e2f097d13016e39fa9631074f85b6364af340fcd9')
 validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds <torvalds at linux-foundation.org>
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) <greg at kroah.com>
              )
@@ -43,6 +45,9 @@
   # add upstream patch
   patch -p1 -i "${srcdir}/patch-${pkgver}"
 
+  # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074
+  patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch"
+
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git

More information about the arch-commits mailing list