brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 23:36:23 +09:00
Code Issues Projects Releases Wiki Activity
5ab04a4ffe
linux-brain/net
History
Lin, Zhenpeng 5ab04a4ffe dccp: don't duplicate ccid when cloning dccp sock 
commit d9ea761fdd197351890418acd462c51f241014a7 upstream.

Commit 2677d20677 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: 2677d20677 ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-09-22 12:26:40 +02:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:47:31 +02:00
9p 9p/xen: Fix end of loop tests for list_for_each_entry 2021-09-22 12:26:20 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:19:38 +02:00
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:05:31 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 14:47:41 +02:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:17:58 +02:00
ax25 AX.25: Prevent integer overflows in connect and sendmsg 2020-07-31 18:39:31 +02:00
batman-adv batman-adv: Avoid WARN_ON timing related checks 2021-06-23 14:41:23 +02:00
bluetooth Bluetooth: Fix handling of LE Enhanced Connection Complete 2021-09-22 12:26:33 +02:00
bpf bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN 2019-07-25 18:00:41 -07:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:53:33 +02:00
bridge net: bridge: fix memleak in br_add_if() 2021-08-18 08:57:00 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 12:26:40 +02:00
can can: j1939: j1939_session_deactivate(): clarify lifetime of session object 2021-08-04 12:27:40 +02:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:43:34 +01:00
core flow_dissector: Fix out-of-bounds warnings 2021-09-22 12:26:29 +02:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 15:57:59 +01:00
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-09-22 12:26:40 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 13:30:56 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:36:45 +02:00
dsa net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count 2021-06-03 08:59:12 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-14 09:44:10 +02:00
ieee802154 net: Fix memory leak in ieee802154_raw_deliver 2021-08-18 08:57:00 +02:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD 2021-09-22 12:26:33 +02:00
ipv6 ipv6: make exception cache less predictible 2021-09-15 09:47:37 +02:00
iucv net/af_iucv: remove WARN_ONCE on malformed RX packets 2021-03-07 12:20:42 +01:00
kcm kcm: disable preemption in kcm_parse_func_strparser() 2019-09-27 10:27:14 +02:00
key af_key: relax availability checks for skb size calculation 2021-02-13 13:52:54 +01:00
l2tp l2tp: remove skb_dst_set() from l2tp_xmit_skb() 2020-07-22 09:32:47 +02:00
l3mdev ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF 2019-06-23 13:24:17 -07:00
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:25:28 +01:00
llc net: llc: fix skb_over_panic 2021-08-04 12:27:39 +02:00
mac80211 mac80211: Fix monitor MTU limit so that A-MSDUs get through 2021-09-22 12:26:32 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:24:18 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 17:03:31 +01:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:24:15 +02:00
netfilter netfilter: conntrack: collect all entries in one cycle 2021-09-03 10:08:12 +02:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-22 12:26:36 +02:00
netlink netlink: Deal with ESRCH error in nlmsg_notify() 2021-09-22 12:26:27 +02:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 13:30:56 +02:00
nfc net/nfc/rawsock.c: fix a permission check bug 2021-06-16 11:59:33 +02:00
nsh treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
openvswitch ovs: clear skb->tstamp in forwarding path 2021-08-26 08:36:19 -04:00
packet net/packet: annotate accesses to po->ifindex 2021-06-30 08:47:48 -04:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
psample net: psample: fix skb_over_panic 2019-12-04 22:30:54 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 10:08:12 +02:00
rds net/rds: dma_map_sg is entitled to merge entries 2021-09-03 10:08:15 +02:00
rfkill rfkill: Fix use-after-free in rfkill_resume() 2020-11-24 13:29:05 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:40:23 +01:00
rxrpc rxrpc: Fix clearance of Tx/Rx ring when releasing a call 2021-02-17 10:35:18 +01:00
sched fix array-index-out-of-bounds in taprio_change 2021-09-22 12:26:36 +02:00
sctp sctp: move the active_key update after sh_keys is added 2021-08-12 13:20:57 +02:00
smc Revert "net/smc: fix a NULL pointer dereference" 2021-06-03 08:59:08 +02:00
strparser Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
sunrpc rpc: fix gss_svc_init cleanup on failure 2021-09-22 12:26:33 +02:00
switchdev net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP 2021-02-07 15:35:46 +01:00
tipc tipc: fix an use-after-free issue in tipc_recvmsg 2021-09-22 12:26:40 +02:00
tls tls: prevent oversized sendfile() hangs by ignoring MSG_MORE 2021-07-14 16:53:31 +02:00
unix af_unix: fix garbage collect vs MSG_PEEK 2021-07-31 08:19:37 +02:00
vmw_vsock vsock/virtio: avoid potential deadlock when vsock device remove 2021-08-18 08:57:01 +02:00
wimax wimax: no need to check return value of debugfs_create functions 2019-08-10 15:25:47 -07:00
wireless cfg80211: Fix possible memory leak in function cfg80211_bss_update 2021-08-04 12:27:38 +02:00
x25 net/x25: Return the correct errno code 2021-06-18 09:59:00 +02:00
xdp xsk: Simplify detection of empty and full rings 2021-05-22 11:38:27 +02:00
xfrm xfrm: Fix error reporting in xfrm_state_construct. 2021-07-19 08:53:11 +02:00
compat.c net: Return the correct errno code 2021-06-18 09:59:00 +02:00
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-04-01 11:02:18 +02:00
Makefile
socket.c net: don't unconditionally copy_from_user a struct ifreq for socket ioctls 2021-09-03 10:08:16 +02:00
sysctl_net.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00