debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

ping: implement proper locking (CVE-2017-2671)

This commit is contained in:
Salvatore Bonaccorso 2017-04-08 09:16:56 +02:00
parent ca91ae2eb7
commit 43f7156d3a
3 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/changelog vendored
View File

@ -1,5 +1,6 @@
linux (4.9.18-2) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
* debian/rules.real: Undefine $LANGUAGE, which can break debug symbols for
vDSOs (Closes: #859807)
@ -10,6 +11,9 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
* drm/nouveau/disp/mcp7x: disable dptmds workaround (Closes: #850219)
* [powerpc/powerpc64,ppc64*] target: Enable SCSI_IBMVSCSIS as module
[ Salvatore Bonaccorso ]
* ping: implement proper locking (CVE-2017-2671)
-- Ben Hutchings <ben@decadent.org.uk> Thu, 30 Mar 2017 18:27:30 +0100
linux (4.9.18-1) unstable; urgency=medium

54
debian/patches/bugfix/all/ping-implement-proper-locking.patch vendored Normal file
View File

@ -0,0 +1,54 @@
From: Eric Dumazet <edumazet@google.com>
Date: Fri, 24 Mar 2017 19:36:13 -0700
Subject: ping: implement proper locking
Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
We got a report of yet another bug in ping
http://www.openwall.com/lists/oss-security/2017/03/24/6
->disconnect() is not called with socket lock held.
Fix this by acquiring ping rwlock earlier.
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
Reported-by: Solar Designer <solar@openwall.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/ping.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 2af6244b83e2..ccfbce13a633 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
void ping_unhash(struct sock *sk)
{
struct inet_sock *isk = inet_sk(sk);
+
pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+ write_lock_bh(&ping_table.lock);
if (sk_hashed(sk)) {
- write_lock_bh(&ping_table.lock);
hlist_nulls_del(&sk->sk_nulls_node);
sk_nulls_node_init(&sk->sk_nulls_node);
sock_put(sk);
isk->inet_num = 0;
isk->inet_sport = 0;
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
- write_unlock_bh(&ping_table.lock);
}
+ write_unlock_bh(&ping_table.lock);
}
EXPORT_SYMBOL_GPL(ping_unhash);
--
2.11.0

1
debian/patches/series vendored
View File

@ -130,6 +130,7 @@ bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/ping-implement-proper-locking.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch