diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-12 09:48:18 +0200 |
|---|---|---|
| committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-16 17:34:03 +0200 |
| commit | 5590d516e5d8c7c1066f28e84d91d861e250a42c (patch) | |
| tree | 32384a5f770e7e559798b9421da54db8db4f3ae0 | |
| parent | f5798658fff6a3ec63e829612c0c8471d894ebeb (diff) | |
| download | enea-kernel-cache-5590d516e5d8c7c1066f28e84d91d861e250a42c.tar.gz | |
dccp: CVE-2018-1130
dccp: check sk for closed state in dccp_sendmsg()
References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2
Change-Id: I6e24e1a00265f2fa6fea3f50dd1c4cef92d5b27a
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch | 44 |
2 files changed, 47 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index d1e56d9..3fa8213 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -8,3 +8,6 @@ patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch | |||
| 8 | 8 | ||
| 9 | #CVEs fixed in 4.9.89: | 9 | #CVEs fixed in 4.9.89: |
| 10 | patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | 10 | patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch |
| 11 | |||
| 12 | #CVEs fixed in 4.9.92: | ||
| 13 | patch CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch | ||
diff --git a/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch b/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch new file mode 100644 index 0000000..3af30fc --- /dev/null +++ b/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From 67f93df79aeefc3add4e4b31a752600f834236e2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alexey Kodanev <alexey.kodanev@oracle.com> | ||
| 3 | Date: Tue, 6 Mar 2018 22:57:01 +0300 | ||
| 4 | Subject: [PATCH] dccp: check sk for closed state in dccp_sendmsg() | ||
| 5 | |||
| 6 | dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, | ||
| 7 | therefore if DCCP socket is disconnected and dccp_sendmsg() is | ||
| 8 | called after it, it will cause a NULL pointer dereference in | ||
| 9 | dccp_write_xmit(). | ||
| 10 | |||
| 11 | This crash and the reproducer was reported by syzbot. Looks like | ||
| 12 | it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824: | ||
| 13 | use-after-free in DCCP code") is applied. | ||
| 14 | |||
| 15 | CVE: CVE-2018-1130 | ||
| 16 | Upstream-Status: Backport | ||
| 17 | |||
| 18 | Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com | ||
| 19 | Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> | ||
| 20 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 22 | --- | ||
| 23 | net/dccp/proto.c | 5 +++++ | ||
| 24 | 1 file changed, 5 insertions(+) | ||
| 25 | |||
| 26 | diff --git a/net/dccp/proto.c b/net/dccp/proto.c | ||
| 27 | index 15bdc00..84cd4e3 100644 | ||
| 28 | --- a/net/dccp/proto.c | ||
| 29 | +++ b/net/dccp/proto.c | ||
| 30 | @@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) | ||
| 31 | if (skb == NULL) | ||
| 32 | goto out_release; | ||
| 33 | |||
| 34 | + if (sk->sk_state == DCCP_CLOSED) { | ||
| 35 | + rc = -ENOTCONN; | ||
| 36 | + goto out_discard; | ||
| 37 | + } | ||
| 38 | + | ||
| 39 | skb_reserve(skb, sk->sk_prot->max_header); | ||
| 40 | rc = memcpy_from_msg(skb_put(skb, len), msg, len); | ||
| 41 | if (rc != 0) | ||
| 42 | -- | ||
| 43 | |||
| 44 | |||