ping: implement proper locking (CVE-2017-2671)
This commit is contained in:
parent
ca91ae2eb7
commit
43f7156d3a
|
@ -1,5 +1,6 @@
|
|||
linux (4.9.18-2) UNRELEASED; urgency=medium
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
|
||||
* debian/rules.real: Undefine $LANGUAGE, which can break debug symbols for
|
||||
vDSOs (Closes: #859807)
|
||||
|
@ -10,6 +11,9 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
|
|||
* drm/nouveau/disp/mcp7x: disable dptmds workaround (Closes: #850219)
|
||||
* [powerpc/powerpc64,ppc64*] target: Enable SCSI_IBMVSCSIS as module
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ping: implement proper locking (CVE-2017-2671)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Thu, 30 Mar 2017 18:27:30 +0100
|
||||
|
||||
linux (4.9.18-1) unstable; urgency=medium
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 24 Mar 2017 19:36:13 -0700
|
||||
Subject: ping: implement proper locking
|
||||
Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
|
||||
|
||||
We got a report of yet another bug in ping
|
||||
|
||||
http://www.openwall.com/lists/oss-security/2017/03/24/6
|
||||
|
||||
->disconnect() is not called with socket lock held.
|
||||
|
||||
Fix this by acquiring ping rwlock earlier.
|
||||
|
||||
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
|
||||
|
||||
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
|
||||
Reported-by: Solar Designer <solar@openwall.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ping.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index 2af6244b83e2..ccfbce13a633 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
|
||||
void ping_unhash(struct sock *sk)
|
||||
{
|
||||
struct inet_sock *isk = inet_sk(sk);
|
||||
+
|
||||
pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
|
||||
+ write_lock_bh(&ping_table.lock);
|
||||
if (sk_hashed(sk)) {
|
||||
- write_lock_bh(&ping_table.lock);
|
||||
hlist_nulls_del(&sk->sk_nulls_node);
|
||||
sk_nulls_node_init(&sk->sk_nulls_node);
|
||||
sock_put(sk);
|
||||
isk->inet_num = 0;
|
||||
isk->inet_sport = 0;
|
||||
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
|
||||
- write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
+ write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ping_unhash);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -130,6 +130,7 @@ bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
|
|||
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
|
||||
bugfix/all/ping-implement-proper-locking.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue