[kernel/f20] CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)

Josh Boyer jwboyer at fedoraproject.org
Mon Mar 3 18:23:05 UTC 2014 

commit ac17eece096e6e98db14ee08e04d733b2851c0da
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Mar 3 13:23:11 2014 -0500

    CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)

 kernel.spec                                        |    7 +++++++
 ...or-a-race-condition-in-the-inet-frag-code.patch |   19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index f6e4d4f..48af0f0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -779,6 +779,9 @@ Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
 #CVE-2014-0101 rhbz 1072029 1070705
 Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
 
+#CVE-2014-0100 rhbz 1072026 1070618
+Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1514,6 +1517,9 @@ ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
 #CVE-2014-0101 rhbz 1072029 1070705
 ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
 
+#CVE-2014-0100 rhbz 1072026 1070618
+ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2326,6 +2332,7 @@ fi
 #                 ||     ||
 %changelog
 * Mon Mar 03 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
 - CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
 - Fix overly verbose audit logs (rhbz 1066064)
 
diff --git a/net-fix-for-a-race-condition-in-the-inet-frag-code.patch b/net-fix-for-a-race-condition-in-the-inet-frag-code.patch
new file mode 100644
index 0000000..1b064f9
--- /dev/null
+++ b/net-fix-for-a-race-condition-in-the-inet-frag-code.patch
@@ -0,0 +1,19 @@
+Bugzilla: 1070618
+Upstream-status: submitted http://patchwork.ozlabs.org/patch/325844/
+
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index bb075fc9a14f..322dcebfc588 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
+ 
+ 	atomic_inc(&qp->refcnt);
+ 	hlist_add_head(&qp->list, &hb->chain);
++	inet_frag_lru_add(nf, qp);
+ 	spin_unlock(&hb->chain_lock);
+ 	read_unlock(&f->lock);
+-	inet_frag_lru_add(nf, qp);
++
+ 	return qp;
+ }
+

More information about the scm-commits mailing list