From 324841e6242e466f808961cbbed55842bf8bee29 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Feb 22 2017 16:54:38 +0000 Subject: fix CVE-2017-6074 DCCP double-free vulnerability --- diff --git a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch new file mode 100644 index 0000000..433fd4b --- /dev/null +++ b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch @@ -0,0 +1,47 @@ +From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba34718..8fedc2d 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; +-- +cgit v0.12 + diff --git a/kernel.spec b/kernel.spec index 3e2f0bd..c41e5d2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -646,6 +646,9 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch #rhbz 1422969 Patch862: rt2800-warning.patch +#CVE-2017-6074 +Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch + # END OF PATCH DEFINITIONS %endif @@ -2193,6 +2196,9 @@ fi # # %changelog +* Wed Feb 22 2017 Justin M. Forbes +- CVE-2017-6074 DCCP double-free vulnerability + * Mon Feb 20 2017 Laura Abbott - 4.9.11-200 - Linux v4.9.11 - Fix rt2800 warning (rhbz 1422969)