From 5590d516e5d8c7c1066f28e84d91d861e250a42c Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 09:48:18 +0200 Subject: dccp: CVE-2018-1130 dccp: check sk for closed state in dccp_sendmsg() References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2 Change-Id: I6e24e1a00265f2fa6fea3f50dd1c4cef92d5b27a Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 ++ ...check-sk-for-closed-state-in-dccp_sendmsg.patch | 44 ++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index d1e56d9..3fa8213 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -8,3 +8,6 @@ patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch #CVEs fixed in 4.9.89: patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch + +#CVEs fixed in 4.9.92: +patch CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch diff --git a/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch b/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch new file mode 100644 index 0000000..3af30fc --- /dev/null +++ b/patches/cve/CVE-2018-1130-dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch @@ -0,0 +1,44 @@ +From 67f93df79aeefc3add4e4b31a752600f834236e2 Mon Sep 17 00:00:00 2001 +From: Alexey Kodanev +Date: Tue, 6 Mar 2018 22:57:01 +0300 +Subject: [PATCH] dccp: check sk for closed state in dccp_sendmsg() + +dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, +therefore if DCCP socket is disconnected and dccp_sendmsg() is +called after it, it will cause a NULL pointer dereference in +dccp_write_xmit(). + +This crash and the reproducer was reported by syzbot. Looks like +it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824: +use-after-free in DCCP code") is applied. + +CVE: CVE-2018-1130 +Upstream-Status: Backport + +Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Andreas Wellving +--- + net/dccp/proto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 15bdc00..84cd4e3 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (skb == NULL) + goto out_release; + ++ if (sk->sk_state == DCCP_CLOSED) { ++ rc = -ENOTCONN; ++ goto out_discard; ++ } ++ + skb_reserve(skb, sk->sk_prot->max_header); + rc = memcpy_from_msg(skb_put(skb, len), msg, len); + if (rc != 0) +-- + + -- cgit v1.2.3-54-g00ecf