[arch-commits] Commit in linux-hardened/trunk (2 files)

Levente Polyak anthraxx at archlinux.org
Thu Feb 8 10:29:44 UTC 2018 

    Date: Thursday, February 8, 2018 @ 10:29:43
  Author: anthraxx
Revision: 290251

upgpkg: linux-hardened 4.15.1.a-1

Deleted:
  linux-hardened/trunk/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
  linux-hardened/trunk/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch

-----------------------------------------------------------------+
 CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch            |   42 -------
 xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch |   53 ----------
 2 files changed, 95 deletions(-)

Deleted: CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
===================================================================
--- CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch	2018-02-08 10:29:06 UTC (rev 290250)
+++ CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch	2018-02-08 10:29:43 UTC (rev 290251)
@@ -1,42 +0,0 @@
-From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <simo.ghannam at gmail.com>
-Date: Tue, 5 Dec 2017 20:58:35 +0000
-Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
-
-Whenever the sock object is in DCCP_CLOSED state,
-dccp_disconnect() must free dccps_hc_tx_ccid and
-dccps_hc_rx_ccid and set to NULL.
-
-Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
-Reviewed-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/dccp/proto.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/net/dccp/proto.c b/net/dccp/proto.c
-index b68168fcc06a..9d43c1f40274 100644
---- a/net/dccp/proto.c
-+++ b/net/dccp/proto.c
-@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
- {
- 	struct inet_connection_sock *icsk = inet_csk(sk);
- 	struct inet_sock *inet = inet_sk(sk);
-+	struct dccp_sock *dp = dccp_sk(sk);
- 	int err = 0;
- 	const int old_state = sk->sk_state;
- 
-@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
- 		sk->sk_err = ECONNRESET;
- 
- 	dccp_clear_xmit_timers(sk);
-+	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-+	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
-+	dp->dccps_hc_rx_ccid = NULL;
-+	dp->dccps_hc_tx_ccid = NULL;
- 
- 	__skb_queue_purge(&sk->sk_receive_queue);
- 	__skb_queue_purge(&sk->sk_write_queue);
--- 
-2.15.1
-

Deleted: xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
===================================================================
--- xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch	2018-02-08 10:29:06 UTC (rev 290250)
+++ xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch	2018-02-08 10:29:43 UTC (rev 290251)
@@ -1,53 +0,0 @@
-From patchwork Fri Dec 22 09:44:57 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup.
-X-Patchwork-Submitter: Steffen Klassert <steffen.klassert at secunet.com>
-X-Patchwork-Id: 852277
-X-Patchwork-Delegate: davem at davemloft.net
-Message-Id: <20171222094501.23345-5-steffen.klassert at secunet.com>
-To: David Miller <davem at davemloft.net>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>,
- Steffen Klassert <steffen.klassert at secunet.com>, <netdev at vger.kernel.org>
-Date: Fri, 22 Dec 2017 10:44:57 +0100
-From: Steffen Klassert <steffen.klassert at secunet.com>
-List-Id: <netdev.vger.kernel.org>
-
-When we do tunnel or beet mode, we pass saddr and daddr from the
-template to xfrm_state_find(), this is ok. On transport mode,
-we pass the addresses from the flowi, assuming that the IP
-addresses (and address family) don't change during transformation.
-This assumption is wrong in the IPv4 mapped IPv6 case, packet
-is IPv4 and template is IPv6.
-
-Fix this by catching address family missmatches of the policy
-and the flow already before we do the lookup.
-
-Reported-by: syzbot <syzkaller at googlegroups.com>
-Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
----
- net/xfrm/xfrm_policy.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 9542975eb2f9..038ec68f6901 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
-  again:
- 	pol = rcu_dereference(sk->sk_policy[dir]);
- 	if (pol != NULL) {
--		bool match = xfrm_selector_match(&pol->selector, fl, family);
-+		bool match;
- 		int err = 0;
- 
-+		if (pol->family != family) {
-+			pol = NULL;
-+			goto out;
-+		}
-+
-+		match = xfrm_selector_match(&pol->selector, fl, family);
- 		if (match) {
- 			if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
- 				pol = NULL;

More information about the arch-commits mailing list