[kernel/f20] CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 3 18:23:05 UTC 2014
commit ac17eece096e6e98db14ee08e04d733b2851c0da
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Mar 3 13:23:11 2014 -0500
CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
kernel.spec | 7 +++++++
...or-a-race-condition-in-the-inet-frag-code.patch | 19 +++++++++++++++++++
2 files changed, 26 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index f6e4d4f..48af0f0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -779,6 +779,9 @@ Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
#CVE-2014-0101 rhbz 1072029 1070705
Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+#CVE-2014-0100 rhbz 1072026 1070618
+Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1514,6 +1517,9 @@ ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
#CVE-2014-0101 rhbz 1072029 1070705
ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
+#CVE-2014-0100 rhbz 1072026 1070618
+ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2326,6 +2332,7 @@ fi
# || ||
%changelog
* Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
- CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
- Fix overly verbose audit logs (rhbz 1066064)
diff --git a/net-fix-for-a-race-condition-in-the-inet-frag-code.patch b/net-fix-for-a-race-condition-in-the-inet-frag-code.patch
new file mode 100644
index 0000000..1b064f9
--- /dev/null
+++ b/net-fix-for-a-race-condition-in-the-inet-frag-code.patch
@@ -0,0 +1,19 @@
+Bugzilla: 1070618
+Upstream-status: submitted http://patchwork.ozlabs.org/patch/325844/
+
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index bb075fc9a14f..322dcebfc588 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
+
+ atomic_inc(&qp->refcnt);
+ hlist_add_head(&qp->list, &hb->chain);
++ inet_frag_lru_add(nf, qp);
+ spin_unlock(&hb->chain_lock);
+ read_unlock(&f->lock);
+- inet_frag_lru_add(nf, qp);
++
+ return qp;
+ }
+
More information about the scm-commits
mailing list