diff options
-rw-r--r-- | libre/linux-libre-lts/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 | ||||
-rw-r--r-- | libre/linux-libre-lts/PKGBUILD | 11 |
2 files changed, 55 insertions, 3 deletions
diff --git a/libre/linux-libre-lts/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/libre/linux-libre-lts/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch new file mode 100644 index 000000000..9adaf0b30 --- /dev/null +++ b/libre/linux-libre-lts/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch @@ -0,0 +1,47 @@ +From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <andreyknvl@google.com> +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov <andreyknvl@google.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba347184bda9b3fe..8fedc2d497709b3d 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; +-- +2.11.1 + diff --git a/libre/linux-libre-lts/PKGBUILD b/libre/linux-libre-lts/PKGBUILD index 50910067a..d5046c66a 100644 --- a/libre/linux-libre-lts/PKGBUILD +++ b/libre/linux-libre-lts/PKGBUILD @@ -10,7 +10,7 @@ pkgbase=linux-libre-lts _pkgbasever=4.4-gnu -_pkgver=4.4.50-gnu +_pkgver=4.4.51-gnu _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname _replacesoldkernels=() # '%' gets replaced with _kernelname @@ -45,6 +45,7 @@ source=("https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgbasever}/l 'linux.preset' 'change-default-console-loglevel.patch' '0001-sdhci-revert.patch' + '0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch' '0001-drm-radeon-Make-the-driver-load-without-the-firmwares.patch' '0002-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch' '0003-fix-Atmel-maXTouch-touchscreen-support.patch' @@ -62,7 +63,7 @@ source=("https://linux-libre.fsfla.org/pub/linux-libre/releases/${_pkgbasever}/l '0009-ARM-dts-dove-add-Dove-divider-clocks.patch') sha512sums=('1fc096b3fad2e97a68f9406c4c9c83a98dd33b2fd1bafc8c637a405e871f16822bc769a928825f2335cf4a1eb69a063f82bbf0ad5e4ef7ceee308e87b07da47e' 'SKIP' - '4b3132f7267c85c81717acd5523731b90ae62f1619eabd32053c93cde3d89dda32ccbb4f4e96b8189074f37abbd209365d633a5a6dadf18d3dccf9abe61c1391' + 'b613936609bddb58b472bdb9857a6410f464d62aa7ec49a685a120ae476c38127a5c7e5b9bf389ae8f710b7a495ff8d6981af171efb388469e3ad40f62b0ac4d' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' @@ -77,10 +78,11 @@ sha512sums=('1fc096b3fad2e97a68f9406c4c9c83a98dd33b2fd1bafc8c637a405e871f16822bc '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf' 'd9d28e02e964704ea96645a5107f8b65cae5f4fb4f537e224e5e3d087fd296cb770c29ac76e0ce95d173bc420ea87fb8f187d616672a60a0cae618b0ef15b8c8' 'be80d7ee558595d4b17b07a5a2b729d9a9503c963ec1b19bac6a87601eaefd28075aea7fb6d9c77e2e15e063fc6a8a2e8744bc1efe63e2a58b8c3ede0d89c821' + 'cddd1349c0a7f7ffcd7615f31c8107144eb086326c09121cc9071e95d04d2a30ee8d7a3f5d1fe76e6377803dbf2fcb1791e482e0974b8474155419ad94c0fd2b' '71d113b43bf543963ec9c4b9ae44bd57196317d59010aa253fe3897a032584980958272fba07751deda700159832444c847c17c2c82eedab0e67f10d358448c4' 'd7b612f3217e4b370eaa6bc928530fcf1cba9f6c5269273b5b5d198c63e128cbb44529fcaed2d732706de1a521a44b0f459f2a3b2695b25666cbfa7a9cb7f058' 'fe62880ef520f2302577c6a76f832324b3a6d42f05d032058892dd4374662ad499727dd0366b45e1087bf650d08a5efa65089c13840b67abdc947fe033c8a275' - '5cac70bc98e229f647fa43c3544426243649051f61bf4a8bdf2eed4911eba3af7d32caaa1c3d4bdc3dd49cb371f3cd42908b9509967ed6469793a3ed7cd1110f' + '904f91a0003be69342addcfeadd0c418fdce33b757b48a62b4bd086e6dd5d5efc1a182838b17477d7a798b1bea54117a8cb696cc632e6cecf2b8dbf38c02f252' 'SKIP' '835f3a288f85c553f908fd8d9f19614430dd83ade2a5dd1bb10686f38b0f823e5f079a9f014bbb3aa7af2f831af34b918124a826bce73d32a191c53deb37061a' '1ad04131f7b882ef405a73a3fc8ad21eaf9fa4dd7f160524bfd04f175f6f61379453f7968f34e3d567f6753d1ea74c4714febe70fe85cd37fcfc96f9b078e1ad' @@ -139,6 +141,9 @@ prepare() { install -m644 -t drivers/video/logo \ "${srcdir}/logo_linux_"{clut224.ppm,vga16.ppm,mono.pbm} + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 + patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" + # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git |