kernel-ipv4: CVE-2015-3636

Fixes a use-after-free bug which can lead to kernel arbitrary execution in Linux kernel. References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3636 http://www.openwall.com/lists/oss-security/2015/05/02/5 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=e13f6f2b39c4d91371c0ede88b136f364a6ffd6d Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-05 13:27:22 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-01-05 14:53:15 +0100
commit: a7516bc90a45e8f16f9a83e0abbb420447150984 (patch)
tree: 197f8bdd83fde1b83baea5cb23cba3c60b970f6f
parent: a63ce710f8d26ad6732602a743ff346a656efb27 (diff)
download: meta-hierofalcon-a7516bc90a45e8f16f9a83e0abbb420447150984.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch
new file mode 100644
index 0000000..1d50153
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch
@@ -0,0 +1,39 @@
+From e13f6f2b39c4d91371c0ede88b136f364a6ffd6d Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
+[ Upstream commit a134f083e79fb4c3d0a925691e732c56911b4326 ]
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+This can cause crashes if we do a disconnect, followed by a connect().
+Fixes CVE-2015-3636.
+Upstream-Status: Backport
+Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index a5c49d6..64f4edb 100644
+--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
+@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
+        if (sk_hashed(sk)) {
+                write_lock_bh(&ping_table.lock);
+                hlist_nulls_del(&sk->sk_nulls_node);
+               sk_nulls_node_init(&sk->sk_nulls_node);
+                sock_put(sk);
+                isk->inet_num = 0;
+                isk->inet_sport = 0;
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 82ad305..895a08c 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
           file://md-CVE-2015-5697.patch \
           file://vhost-CVE-2015-6252.patch \
           file://ipv6-CVE-2015-2922.patch \
+           file://ipv4-CVE-2015-3636.patch \
           "
 S = "${WORKDIR}/git"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-05 13:27:22 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-01-05 14:53:15 +0100
commit	a7516bc90a45e8f16f9a83e0abbb420447150984 (patch)
tree	197f8bdd83fde1b83baea5cb23cba3c60b970f6f
parent	a63ce710f8d26ad6732602a743ff346a656efb27 (diff)
download	meta-hierofalcon-a7516bc90a45e8f16f9a83e0abbb420447150984.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch new file mode 100644 index 0000000..1d50153 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv4-CVE-2015-3636.patch
@@ -0,0 +1,39 @@
		1	From e13f6f2b39c4d91371c0ede88b136f364a6ffd6d Mon Sep 17 00:00:00 2001
		2	From: "David S. Miller" <davem@davemloft.net>
		3	Date: Fri, 1 May 2015 22:02:47 -0400
		4	Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
		5
		6	[ Upstream commit a134f083e79fb4c3d0a925691e732c56911b4326 ]
		7
		8	If we don't do that, then the poison value is left in the ->pprev
		9	backlink.
		10
		11	This can cause crashes if we do a disconnect, followed by a connect().
		12
		13	Fixes CVE-2015-3636.
		14	Upstream-Status: Backport
		15
		16	Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
		17	Reported-by: Wen Xu <hotdog3645@gmail.com>
		18	Signed-off-by: David S. Miller <davem@davemloft.net>
		19	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	net/ipv4/ping.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
		26	index a5c49d6..64f4edb 100644
		27	--- a/net/ipv4/ping.c
		28	+++ b/net/ipv4/ping.c
		29	@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
		30	if (sk_hashed(sk)) {
		31	write_lock_bh(&ping_table.lock);
		32	hlist_nulls_del(&sk->sk_nulls_node);
		33	+ sk_nulls_node_init(&sk->sk_nulls_node);
		34	sock_put(sk);
		35	isk->inet_num = 0;
		36	isk->inet_sport = 0;
		37	--
		38	cgit v0.11.2
		39


diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 82ad305..895a08c 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
26	file://md-CVE-2015-5697.patch \	26	file://md-CVE-2015-5697.patch \
27	file://vhost-CVE-2015-6252.patch \	27	file://vhost-CVE-2015-6252.patch \
28	file://ipv6-CVE-2015-2922.patch \	28	file://ipv6-CVE-2015-2922.patch \
		29	file://ipv4-CVE-2015-3636.patch \
29	"	30	"
30		31
31	S = "${WORKDIR}/git"	32	S = "${WORKDIR}/git"