diff options
author | Joakim Hernberg <jhernberg@alchemy.lu> | 2017-02-25 21:31:30 +0100 |
---|---|---|
committer | Joakim Hernberg <jhernberg@alchemy.lu> | 2017-02-25 21:31:30 +0100 |
commit | 9874d9c549b10829ddc50817097629f7655daa3f (patch) | |
tree | e8d54b37ece65046ec5c8d00a7bf4e64cebfac3b | |
parent | dd88cbac9f2d0d7995b3c5b70212fada311d2249 (diff) |
bump to 4.4.47_rt59-2 and patch CVE-2017-6074
-rw-r--r-- | .SRCINFO | 6 | ||||
-rw-r--r-- | 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 46 | ||||
-rw-r--r-- | PKGBUILD | 10 |
3 files changed, 58 insertions, 4 deletions
@@ -1,8 +1,8 @@ # Generated by makepkg 5.0.1 -# Thu Feb 16 17:36:40 UTC 2017 +# Sat Feb 25 20:30:20 UTC 2017 pkgbase = linux-rt-lts pkgver = 4.4.47_rt59 - pkgrel = 1 + pkgrel = 2 url = https://www.kernel.org/ arch = i686 arch = x86_64 @@ -26,6 +26,7 @@ pkgbase = linux-rt-lts source = change-default-console-loglevel.patch source = fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT-160319.patch source = 0001-fix-rt_mutex.patch + source = 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 64254695FFF0AA4466CC19E67B96E8162A8CF5D1 @@ -44,6 +45,7 @@ pkgbase = linux-rt-lts sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99 sha256sums = 85f7612edfa129210343d6a4fe4ba2a4ac3542d98b7e28c8896738e7e6541c06 sha256sums = 785960e97b6054274814a2354f84ccd64c0c01485761d3a3a82a4458bd7ad021 + sha256sums = ab22d941388440ee7da44535305f535cb5a2abc4151289757f5753b13ebd78e8 pkgname = linux-rt-lts pkgdesc = The Linux-rt-lts kernel and modules diff --git a/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch new file mode 100644 index 0000000..25bd679 --- /dev/null +++ b/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch @@ -0,0 +1,46 @@ +From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <andreyknvl@google.com> +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov <andreyknvl@google.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba347184bda9b3fe..8fedc2d497709b3d 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; +-- +2.11.1 @@ -10,7 +10,7 @@ _srcname=linux-4.4 _pkgver=4.4.47 _rtpatchver=rt59 pkgver=${_pkgver}_${_rtpatchver} -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url="https://www.kernel.org/" license=('GPL2') @@ -31,6 +31,7 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" 'change-default-console-loglevel.patch' 'fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT-160319.patch' '0001-fix-rt_mutex.patch' + '0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch' ) sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' @@ -45,7 +46,8 @@ sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'a8886f2c9896f81f59cf0413b3e380cda2fbdc667eb9ce8dfcb0fceb6d92279f' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' '85f7612edfa129210343d6a4fe4ba2a4ac3542d98b7e28c8896738e7e6541c06' - '785960e97b6054274814a2354f84ccd64c0c01485761d3a3a82a4458bd7ad021') + '785960e97b6054274814a2354f84ccd64c0c01485761d3a3a82a4458bd7ad021' + 'ab22d941388440ee7da44535305f535cb5a2abc4151289757f5753b13ebd78e8') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -81,6 +83,10 @@ prepare() { msg "0001-fix-rt_mutex.patch" patch -p1 -i "${srcdir}/0001-fix-rt_mutex.patch" + + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 + msg "applying 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" + patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" msg "All patches have successfully been applied" |