jwboyer pushed to kernel (f20). "CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue May 5 13:45:42 UTC 2015
>From cf08d0381126fd1a3b2540815892abcae3fa058b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue, 5 May 2015 09:41:50 -0400
Subject: CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz
1218074 1218110)
diff --git a/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch b/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
new file mode 100644
index 0000000..fa08f6a
--- /dev/null
+++ b/ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
@@ -0,0 +1,31 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: [PATCH] ipv4: Missing sk_nulls_node_init() in ping_unhash().
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Tested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645 at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 0ae28f517a9b..c0db43d2e1a6 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
+ if (sk_hashed(sk)) {
+ write_lock_bh(&ping_table.lock);
+ hlist_nulls_del(&sk->sk_nulls_node);
++ sk_nulls_node_init(&sk->sk_nulls_node);
+ sock_put(sk);
+ isk->inet_num = 0;
+ isk->inet_sport = 0;
+--
+2.3.6
+
diff --git a/kernel.spec b/kernel.spec
index c0ff4d8..9e1c042 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -778,6 +778,9 @@ Patch26189: 0001-cx18-add-missing-caps-for-the-PCM-video-device.patch
#rhbz 1206036 1215989
Patch26193: toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
+#CVE-2015-3636 rhbz 1218074 1218110
+Patch26194: ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1525,6 +1528,8 @@ ApplyPatch 0001-cx18-add-missing-caps-for-the-PCM-video-device.patch
#rhbz 1206036 1215989
ApplyPatch toshiba_acpi-Do-not-register-vendor-backlight-when-a.patch
+#CVE-2015-3636 rhbz 1218074 1218110
+ApplyPatch ipv4-Missing-sk_nulls_node_init-in-ping_unhash.patch
# END OF PATCH APPLICATIONS
@@ -2337,6 +2342,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue May 05 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-3636 ping-sockets use-after-free privilege escalation (rhbz 1218074 1218110)
+
* Thu Apr 30 2015 Laura Abbott <labbott at fedoraproject.org> - 3.19.6-100
- Linux v3.19.6
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f20&id=cf08d0381126fd1a3b2540815892abcae3fa058b
More information about the scm-commits
mailing list