[kernel/f19] CVE-2014-4943 pppol2tp level handling (rhbz 1119458 1120542)
Josh Boyer
jwboyer at fedoraproject.org
Thu Jul 17 12:16:04 UTC 2014
commit e5285152d8a7878f813182a230b517cde4f9eb60
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Thu Jul 17 08:15:19 2014 -0400
CVE-2014-4943 pppol2tp level handling (rhbz 1119458 1120542)
kernel.spec | 9 +++
...tp-don-t-fall-back-on-UDP-get-set-sockopt.patch | 57 ++++++++++++++++++++
2 files changed, 66 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 50ddf89..d61fcb3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -762,6 +762,9 @@ Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pa
Patch25110: 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
+#CVE-2014-4943 rhbz 1119458 1120542
+Patch25115: net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1467,6 +1470,9 @@ ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pat
ApplyPatch 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
+#CVE-2014-4943 rhbz 1119458 1120542
+ApplyPatch net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2279,6 +2285,9 @@ fi
# and build.
%changelog
+* Thu Jul 17 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-4943 pppol2tp level handling (rhbz 1119458 1120542)
+
* Mon Jul 14 2014 Josh Boyer <jwboyer at fedoraproject.rog> - 3.14.12-100
- Linux v3.14.12
diff --git a/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch b/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
new file mode 100644
index 0000000..141048a
--- /dev/null
+++ b/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
@@ -0,0 +1,57 @@
+Bugzilla: 1120542
+Upstream-status: 3.16 and CC'd to stable
+
+From 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Mon, 14 Jul 2014 17:02:31 -0700
+Subject: [PATCH] net/l2tp: don't fall back on UDP [get|set]sockopt
+
+The l2tp [get|set]sockopt() code has fallen back to the UDP functions
+for socket option levels != SOL_PPPOL2TP since day one, but that has
+never actually worked, since the l2tp socket isn't an inet socket.
+
+As David Miller points out:
+
+ "If we wanted this to work, it'd have to look up the tunnel and then
+ use tunnel->sk, but I wonder how useful that would be"
+
+Since this can never have worked so nobody could possibly have depended
+on that functionality, just remove the broken code and return -EINVAL.
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Acked-by: James Chapman <jchapman at katalix.com>
+Acked-by: David Miller <davem at davemloft.net>
+Cc: Phil Turnbull <phil.turnbull at oracle.com>
+Cc: Vegard Nossum <vegard.nossum at oracle.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 950909f04ee6..13752d96275e 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1365,7 +1365,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
+ int err;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.setsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+@@ -1491,7 +1491,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
+ struct pppol2tp_session *ps;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.getsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+--
+1.9.3
+
More information about the scm-commits
mailing list