tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)
This commit is contained in:
parent
0a8dfe2ccc
commit
0db6147b7d
|
@ -40,6 +40,7 @@ linux (4.7.2-1) UNRELEASED; urgency=medium
|
|||
- efi: Disable secure boot if shim is in insecure mode
|
||||
- Add kernel config option to set securelevel when in Secure Boot mode
|
||||
- Enable EFI_SECURE_BOOT_SECURELEVEL
|
||||
* tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)
|
||||
|
||||
[ Martin Michlmayr ]
|
||||
* [armhf] Enable MMC_SDHCI_IPROC and HW_RANDOM_BCM2835 for BCM2835.
|
||||
|
|
50
debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
vendored
Normal file
50
debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
vendored
Normal file
|
@ -0,0 +1,50 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Wed, 17 Aug 2016 05:56:26 -0700
|
||||
Subject: tcp: fix use after free in tcp_xmit_retransmit_queue()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=bb1fceca22492109be12640d49f5ea5a544c6bb4
|
||||
|
||||
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
|
||||
tail of the write queue using tcp_add_write_queue_tail()
|
||||
|
||||
Then it attempts to copy user data into this fresh skb.
|
||||
|
||||
If the copy fails, we undo the work and remove the fresh skb.
|
||||
|
||||
Unfortunately, this undo lacks the change done to tp->highest_sack and
|
||||
we can leave a dangling pointer (to a freed skb)
|
||||
|
||||
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
|
||||
access freed memory. For regular kernels where memory is not unmapped,
|
||||
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
|
||||
returning garbage instead of tp->snd_nxt, but with various debug
|
||||
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
|
||||
|
||||
This bug was found by Marco Grassi thanks to syzkaller.
|
||||
|
||||
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
|
||||
Reported-by: Marco Grassi <marco.gra@gmail.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
|
||||
Cc: Yuchung Cheng <ycheng@google.com>
|
||||
Cc: Neal Cardwell <ncardwell@google.com>
|
||||
Acked-by: Neal Cardwell <ncardwell@google.com>
|
||||
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/tcp.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/include/net/tcp.h
|
||||
+++ b/include/net/tcp.h
|
||||
@@ -1522,6 +1522,8 @@ static inline void tcp_check_send_head(s
|
||||
{
|
||||
if (sk->sk_send_head == skb_unlinked)
|
||||
sk->sk_send_head = NULL;
|
||||
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
|
||||
+ tcp_sk(sk)->highest_sack = NULL;
|
||||
}
|
||||
|
||||
static inline void tcp_init_send_head(struct sock *sk)
|
|
@ -111,6 +111,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
# Security fixes
|
||||
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
|
|
Loading…
Reference in New Issue