diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-05 13:33:15 +0100 |
|---|---|---|
| committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-05 15:37:24 +0100 |
| commit | d92c06ddc2bb66673c4fa94d19467ae97746f5f7 (patch) | |
| tree | 73aad3c8afbc9ae23da80d380eb83249fff54af3 | |
| parent | cb6adb8c1d780cbaf7f3a3f62716f58790984467 (diff) | |
| download | meta-enea-d92c06ddc2bb66673c4fa94d19467ae97746f5f7.tar.gz | |
kernel-ipv4: CVE-2015-3636
Fixes use-after-free leading to local privilege escalation.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=f493b53864236c924b61ef3ccbb759ac46419a32
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
| -rw-r--r-- | recipes-kernel/linux/files/ipv4-CVE-2015-3636.patch | 38 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/ipv4-CVE-2015-3636.patch b/recipes-kernel/linux/files/ipv4-CVE-2015-3636.patch new file mode 100644 index 0000000..ae1f4eb --- /dev/null +++ b/recipes-kernel/linux/files/ipv4-CVE-2015-3636.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From f493b53864236c924b61ef3ccbb759ac46419a32 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "David S. Miller" <davem@davemloft.net> | ||
| 3 | Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash(). | ||
| 4 | |||
| 5 | [ Upstream commit a134f083e79fb4c3d0a925691e732c56911b4326 ] | ||
| 6 | |||
| 7 | If we don't do that, then the poison value is left in the ->pprev | ||
| 8 | backlink. | ||
| 9 | |||
| 10 | This can cause crashes if we do a disconnect, followed by a connect(). | ||
| 11 | |||
| 12 | Fixes CVE-2015-3636 | ||
| 13 | Upstream-Status: Backport | ||
| 14 | |||
| 15 | Tested-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 16 | Reported-by: Wen Xu <hotdog3645@gmail.com> | ||
| 17 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 20 | --- | ||
| 21 | net/ipv4/ping.c | 1 + | ||
| 22 | 1 file changed, 1 insertion(+) | ||
| 23 | |||
| 24 | diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c | ||
| 25 | index b94002a..1e2e9bf 100644 | ||
| 26 | --- a/net/ipv4/ping.c | ||
| 27 | +++ b/net/ipv4/ping.c | ||
| 28 | @@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk) | ||
| 29 | if (sk_hashed(sk)) { | ||
| 30 | write_lock_bh(&ping_table.lock); | ||
| 31 | hlist_nulls_del(&sk->sk_nulls_node); | ||
| 32 | + sk_nulls_node_init(&sk->sk_nulls_node); | ||
| 33 | sock_put(sk); | ||
| 34 | isk->inet_num = 0; | ||
| 35 | isk->inet_sport = 0; | ||
| 36 | -- | ||
| 37 | cgit v0.11.2 | ||
| 38 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 7037182..ebf515d 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
| @@ -14,4 +14,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
| 14 | file://ipv4-CVE-2015-1465.patch \ | 14 | file://ipv4-CVE-2015-1465.patch \ |
| 15 | file://net-rds-CVE-2015-2042.patch \ | 15 | file://net-rds-CVE-2015-2042.patch \ |
| 16 | file://ipv6-CVE-2015-2922.patch \ | 16 | file://ipv6-CVE-2015-2922.patch \ |
| 17 | file://ipv4-CVE-2015-3636.patch \ | ||
| 17 | " | 18 | " |