tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)

debian/changelog

@@ -40,6 +40,7 @@ linux (4.7.2-1) UNRELEASED; urgency=medium
     - efi: Disable secure boot if shim is in insecure mode
     - Add kernel config option to set securelevel when in Secure Boot mode
     - Enable EFI_SECURE_BOOT_SECURELEVEL
+  * tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)
 
   [ Martin Michlmayr ]
   * [armhf] Enable MMC_SDHCI_IPROC and HW_RANDOM_BCM2835 for BCM2835.

debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch

@@ -0,0 +1,50 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 17 Aug 2016 05:56:26 -0700
+Subject: tcp: fix use after free in tcp_xmit_retransmit_queue()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=bb1fceca22492109be12640d49f5ea5a544c6bb4
+
+When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
+tail of the write queue using tcp_add_write_queue_tail()
+
+Then it attempts to copy user data into this fresh skb.
+
+If the copy fails, we undo the work and remove the fresh skb.
+
+Unfortunately, this undo lacks the change done to tp->highest_sack and
+we can leave a dangling pointer (to a freed skb)
+
+Later, tcp_xmit_retransmit_queue() can dereference this pointer and
+access freed memory. For regular kernels where memory is not unmapped,
+this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
+returning garbage instead of tp->snd_nxt, but with various debug
+features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
+
+This bug was found by Marco Grassi thanks to syzkaller.
+
+Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/tcp.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1522,6 +1522,8 @@ static inline void tcp_check_send_head(s
+ {
+ 	if (sk->sk_send_head == skb_unlinked)
+ 		sk->sk_send_head = NULL;
++	if (tcp_sk(sk)->highest_sack == skb_unlinked)
++		tcp_sk(sk)->highest_sack = NULL;
+ }
+ 
+ static inline void tcp_init_send_head(struct sock *sk)

debian/patches/series

@@ -111,6 +111,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 # Security fixes
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
 
 # ABI maintenance