Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels

Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 1378 bytes --]

Hi,

haven't seen commit

> From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
> From: Andrey Konovalov <andreyknvl@google.com>
> Date: Thu, 16 Feb 2017 17:22:46 +0100
> Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
> 
> In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
> is forcibly freed via __kfree_skb in dccp_rcv_state_process if
> dccp_v6_conn_request successfully returns.
> 
> However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
> is saved to ireq->pktopts and the ref count for skb is incremented in
> dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
> in dccp_rcv_state_process.
> 
> Fix by calling consume_skb instead of doing goto discard and therefore
> calling __kfree_skb.
> 
> Similar fixes for TCP:
> 
> fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
> 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
> simply consumed
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> Acked-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>

in recent LTS kernel releases (3.2.85, 3.16.40, 4.4.51, 4.9.12...) nor
found any information that this patch is queued.

Could you please cherry-pick?

Thanks!


-- 
Regards,
Thomas



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 951 bytes --]

Re: Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels,Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels

[David Miller]

From: Thomas Deutschmann <whissi@gentoo.org>
Date: Thu, 23 Feb 2017 18:35:04 +0100

> Hi,
> 
> haven't seen commit
> 
>> From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
>> From: Andrey Konovalov <andreyknvl@google.com>
>> Date: Thu, 16 Feb 2017 17:22:46 +0100
>> Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
>> 
>> In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
>> is forcibly freed via __kfree_skb in dccp_rcv_state_process if
>> dccp_v6_conn_request successfully returns.
>> 
>> However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
>> is saved to ireq->pktopts and the ref count for skb is incremented in
>> dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
>> in dccp_rcv_state_process.
>> 
>> Fix by calling consume_skb instead of doing goto discard and therefore
>> calling __kfree_skb.
>> 
>> Similar fixes for TCP:
>> 
>> fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
>> 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
>> simply consumed
>> 
>> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
>> Acked-by: Eric Dumazet <edumazet@google.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> in recent LTS kernel releases (3.2.85, 3.16.40, 4.4.51, 4.9.12...) nor
> found any information that this patch is queued.
> 
> Could you please cherry-pick?

Please be patient.  I do -stable submissions every one or two weeks, and
if you see it listed at:

	http://patchwork.ozlabs.org/bundle/davem/stable/?submitter=&state=*&q=&archive=

Then I have it queued up and you don't need to ask if it will be sent or
not.

Thank you.

Re: Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels

[Greg KH]

On Thu, Feb 23, 2017 at 06:35:04PM +0100, Thomas Deutschmann wrote:
> Hi,
> 
> haven't seen commit
> 
> > From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
> > From: Andrey Konovalov <andreyknvl@google.com>
> > Date: Thu, 16 Feb 2017 17:22:46 +0100
> > Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
> > 
> > In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
> > is forcibly freed via __kfree_skb in dccp_rcv_state_process if
> > dccp_v6_conn_request successfully returns.
> > 
> > However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
> > is saved to ireq->pktopts and the ref count for skb is incremented in
> > dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
> > in dccp_rcv_state_process.
> > 
> > Fix by calling consume_skb instead of doing goto discard and therefore
> > calling __kfree_skb.
> > 
> > Similar fixes for TCP:
> > 
> > fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
> > 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
> > simply consumed
> > 
> > Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> > Acked-by: Eric Dumazet <edumazet@google.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> in recent LTS kernel releases (3.2.85, 3.16.40, 4.4.51, 4.9.12...) nor
> found any information that this patch is queued.

That's because it was released after those kernels were under review :)

Also, networking patches for stable trees come from the networking
maintainer, you can always check:
	http://patchwork.ozlabs.org/bundle/davem/stable/?submitter=&state=*&q=&archive=

to see what has been marked to be sent for stable kernels.

Hope this helps,

greg k-h