jwboyer pushed to kernel (f20). "CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue May 5 13:45:42 UTC 2015 

>From cf08d0381126fd1a3b2540815892abcae3fa058b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue, 5 May 2015 09:41:50 -0400
Subject: CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz
 1218074 1218110)


diff --git a/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch b/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
new file mode 100644
index 0000000..fa08f6a
--- /dev/null
+++ b/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
@@ -0,0 +1,31 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: [PATCH] ipv4: Missing sk_nulls_node_init() in ping_unhash().
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Tested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645 at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 0ae28f517a9b..c0db43d2e1a6 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
+ 	if (sk_hashed(sk)) {
+ 		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
++		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
+-- 
+2.3.6
+
diff --git a/kernel.spec b/kernel.spec
index c0ff4d8..9e1c042 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -778,6 +778,9 @@ Patch26189: 0001-cx18-add-missing-caps-for-the-PCM-video-device.patch
 #rhbz 1206036 1215989
 Patch26193: toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
 
+#CVE-2015-3636 rhbz 1218074 1218110
+Patch26194: ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1525,6 +1528,8 @@ ApplyPatch 0001-cx18-add-missing-caps-for-the-PCM-video-device.patch
 #rhbz 1206036 1215989
 ApplyPatch toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
 
+#CVE-2015-3636 rhbz 1218074 1218110
+ApplyPatch ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2337,6 +2342,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue May 05 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)
+
 * Thu Apr 30 2015 Laura Abbott <labbott at fedoraproject.org> - 3.19.6-100
 - Linux v3.19.6
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f20&id=cf08d0381126fd1a3b2540815892abcae3fa058b

More information about the scm-commits mailing list