[arch-commits] Commit in linux-hardened/trunk (2 files)

Thu, 08 Feb 2018 02:30:07 -0800 

    Date: Thursday, February 8, 2018 @ 10:29:43
  Author: anthraxx
Revision: 290251

upgpkg: linux-hardened 4.15.1.a-1

Deleted:
  linux-hardened/trunk/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
  
linux-hardened/trunk/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch

-----------------------------------------------------------------+
 CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch            |   42 -------
 xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch |   53 
----------
 2 files changed, 95 deletions(-)

Deleted: CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
===================================================================
--- CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch        2018-02-08 
10:29:06 UTC (rev 290250)
+++ CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch        2018-02-08 
10:29:43 UTC (rev 290251)
@@ -1,42 +0,0 @@
-From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <simo.ghan...@gmail.com>
-Date: Tue, 5 Dec 2017 20:58:35 +0000
-Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
-
-Whenever the sock object is in DCCP_CLOSED state,
-dccp_disconnect() must free dccps_hc_tx_ccid and
-dccps_hc_rx_ccid and set to NULL.
-
-Signed-off-by: Mohamed Ghannam <simo.ghan...@gmail.com>
-Reviewed-by: Eric Dumazet <eduma...@google.com>
-Signed-off-by: David S. Miller <da...@davemloft.net>
----
- net/dccp/proto.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/net/dccp/proto.c b/net/dccp/proto.c
-index b68168fcc06a..9d43c1f40274 100644
---- a/net/dccp/proto.c
-+++ b/net/dccp/proto.c
-@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
- {
-       struct inet_connection_sock *icsk = inet_csk(sk);
-       struct inet_sock *inet = inet_sk(sk);
-+      struct dccp_sock *dp = dccp_sk(sk);
-       int err = 0;
-       const int old_state = sk->sk_state;
- 
-@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
-               sk->sk_err = ECONNRESET;
- 
-       dccp_clear_xmit_timers(sk);
-+      ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-+      ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
-+      dp->dccps_hc_rx_ccid = NULL;
-+      dp->dccps_hc_tx_ccid = NULL;
- 
-       __skb_queue_purge(&sk->sk_receive_queue);
-       __skb_queue_purge(&sk->sk_write_queue);
--- 
-2.15.1
-

Deleted: xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
===================================================================
--- xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch     
2018-02-08 10:29:06 UTC (rev 290250)
+++ xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch     
2018-02-08 10:29:43 UTC (rev 290251)
@@ -1,53 +0,0 @@
-From patchwork Fri Dec 22 09:44:57 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup.
-X-Patchwork-Submitter: Steffen Klassert <steffen.klass...@secunet.com>
-X-Patchwork-Id: 852277
-X-Patchwork-Delegate: da...@davemloft.net
-Message-Id: <20171222094501.23345-5-steffen.klass...@secunet.com>
-To: David Miller <da...@davemloft.net>
-Cc: Herbert Xu <herb...@gondor.apana.org.au>,
- Steffen Klassert <steffen.klass...@secunet.com>, <net...@vger.kernel.org>
-Date: Fri, 22 Dec 2017 10:44:57 +0100
-From: Steffen Klassert <steffen.klass...@secunet.com>
-List-Id: <netdev.vger.kernel.org>
-
-When we do tunnel or beet mode, we pass saddr and daddr from the
-template to xfrm_state_find(), this is ok. On transport mode,
-we pass the addresses from the flowi, assuming that the IP
-addresses (and address family) don't change during transformation.
-This assumption is wrong in the IPv4 mapped IPv6 case, packet
-is IPv4 and template is IPv6.
-
-Fix this by catching address family missmatches of the policy
-and the flow already before we do the lookup.
-
-Reported-by: syzbot <syzkal...@googlegroups.com>
-Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
----
- net/xfrm/xfrm_policy.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 9542975eb2f9..038ec68f6901 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const 
struct sock *sk, int dir,
-  again:
-       pol = rcu_dereference(sk->sk_policy[dir]);
-       if (pol != NULL) {
--              bool match = xfrm_selector_match(&pol->selector, fl, family);
-+              bool match;
-               int err = 0;
- 
-+              if (pol->family != family) {
-+                      pol = NULL;
-+                      goto out;
-+              }
-+
-+              match = xfrm_selector_match(&pol->selector, fl, family);
-               if (match) {
-                       if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
-                               pol = NULL;

Reply via email to