Re: Fixing CVE-2017-16939 in v4.4.y and possibly v3.18.y

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Michal Kubecek <mkubecek@suse.cz>,
	netdev@vger.kernel.org, stable@vger.kernel.org
Subject: Re: Fixing CVE-2017-16939 in v4.4.y and possibly v3.18.y
Date: Mon, 4 Dec 2017 13:05:56 +0100	[thread overview]
Message-ID: <20171204120556.GA4478@kroah.com> (raw)
In-Reply-To: <4ac5fb52-28f9-7111-483d-f010b093d923@roeck-us.net>

On Sat, Dec 02, 2017 at 04:20:40PM -0800, Guenter Roeck wrote:
> On 12/01/2017 11:48 AM, Michal Kubecek wrote:
> > On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote:
> > > Hi,
> > > 
> > > The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y
> > > and older kernels. However, I confirmed that running the published POC
> > > (see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4
> > > kernel.
> > > 
> > > I confirmed that the following two patches fix the problem in v4.4.y.
> > > Please consider applying them to v4.4.y (and possibly v3.18.y).
> > > 
> > > fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump")
> > > 1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash")
> > > 
> > > My apologies for the noise if this is already under consideration.
> > 
> > It's a bit too big hammer. As Nicolai Stange noticed when we were
> 
> The hammer is just as big as the upstream hammer. Personally I prefer the
> upstream patch; I don't see a reason to deviate from upstream just because
> the upstream solution is more complex than necessary.
> 
> > handling this for SLE12 (where fc9e50f5a5a4e would break kABI), it's
> 
> I didn't know that this is even a concern for stable releases. Is there
> some guideline that kABI changes should be avoided in stable releases ?

Nope, for now I don't care about kABI changes in stable releases.  I'd
almost always prefer to take the upstream patches exactly as-is.

thanks,

greg k-h

     prev parent reply	other threads:[~2017-12-04 12:05 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-30 18:37 Fixing CVE-2017-16939 in v4.4.y and possibly v3.18.y Guenter Roeck
2017-12-01 15:09 ` Greg Kroah-Hartman
2017-12-01 19:48 ` Michal Kubecek
2017-12-03  0:20   ` Guenter Roeck
2017-12-03  0:44     ` Michal Kubecek
2017-12-04 12:05     ` Greg Kroah-Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171204120556.GA4478@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=linux@roeck-us.net \
    --cc=mkubecek@suse.cz \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.