Date: Thursday, February 8, 2018 @ 10:29:43 Author: anthraxx Revision: 290251
upgpkg: linux-hardened 4.15.1.a-1 Deleted: linux-hardened/trunk/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch linux-hardened/trunk/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch -----------------------------------------------------------------+ CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch | 42 ------- xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch | 53 ---------- 2 files changed, 95 deletions(-) Deleted: CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch =================================================================== --- CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch 2018-02-08 10:29:06 UTC (rev 290250) +++ CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch 2018-02-08 10:29:43 UTC (rev 290251) @@ -1,42 +0,0 @@ -From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001 -From: Mohamed Ghannam <simo.ghan...@gmail.com> -Date: Tue, 5 Dec 2017 20:58:35 +0000 -Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code - -Whenever the sock object is in DCCP_CLOSED state, -dccp_disconnect() must free dccps_hc_tx_ccid and -dccps_hc_rx_ccid and set to NULL. - -Signed-off-by: Mohamed Ghannam <simo.ghan...@gmail.com> -Reviewed-by: Eric Dumazet <eduma...@google.com> -Signed-off-by: David S. Miller <da...@davemloft.net> ---- - net/dccp/proto.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/dccp/proto.c b/net/dccp/proto.c -index b68168fcc06a..9d43c1f40274 100644 ---- a/net/dccp/proto.c -+++ b/net/dccp/proto.c -@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) - { - struct inet_connection_sock *icsk = inet_csk(sk); - struct inet_sock *inet = inet_sk(sk); -+ struct dccp_sock *dp = dccp_sk(sk); - int err = 0; - const int old_state = sk->sk_state; - -@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) - sk->sk_err = ECONNRESET; - - dccp_clear_xmit_timers(sk); -+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); -+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); -+ dp->dccps_hc_rx_ccid = NULL; -+ dp->dccps_hc_tx_ccid = NULL; - - __skb_queue_purge(&sk->sk_receive_queue); - __skb_queue_purge(&sk->sk_write_queue); --- -2.15.1 - Deleted: xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch =================================================================== --- xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch 2018-02-08 10:29:06 UTC (rev 290250) +++ xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch 2018-02-08 10:29:43 UTC (rev 290251) @@ -1,53 +0,0 @@ -From patchwork Fri Dec 22 09:44:57 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup. -X-Patchwork-Submitter: Steffen Klassert <steffen.klass...@secunet.com> -X-Patchwork-Id: 852277 -X-Patchwork-Delegate: da...@davemloft.net -Message-Id: <20171222094501.23345-5-steffen.klass...@secunet.com> -To: David Miller <da...@davemloft.net> -Cc: Herbert Xu <herb...@gondor.apana.org.au>, - Steffen Klassert <steffen.klass...@secunet.com>, <net...@vger.kernel.org> -Date: Fri, 22 Dec 2017 10:44:57 +0100 -From: Steffen Klassert <steffen.klass...@secunet.com> -List-Id: <netdev.vger.kernel.org> - -When we do tunnel or beet mode, we pass saddr and daddr from the -template to xfrm_state_find(), this is ok. On transport mode, -we pass the addresses from the flowi, assuming that the IP -addresses (and address family) don't change during transformation. -This assumption is wrong in the IPv4 mapped IPv6 case, packet -is IPv4 and template is IPv6. - -Fix this by catching address family missmatches of the policy -and the flow already before we do the lookup. - -Reported-by: syzbot <syzkal...@googlegroups.com> -Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> ---- - net/xfrm/xfrm_policy.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 9542975eb2f9..038ec68f6901 100644 ---- a/net/xfrm/xfrm_policy.c -+++ b/net/xfrm/xfrm_policy.c -@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, - again: - pol = rcu_dereference(sk->sk_policy[dir]); - if (pol != NULL) { -- bool match = xfrm_selector_match(&pol->selector, fl, family); -+ bool match; - int err = 0; - -+ if (pol->family != family) { -+ pol = NULL; -+ goto out; -+ } -+ -+ match = xfrm_selector_match(&pol->selector, fl, family); - if (match) { - if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { - pol = NULL;