[linux] 01/01: Update 'net: add validation for the socket syscall protocol argument' to upstream version

Tue Dec 29 01:25:16 UTC 2015

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit fd75678652623cbdba0d892379fec375c8ea37ad
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Dec 27 19:21:59 2015 +0000

    Update 'net: add validation for the socket syscall protocol argument' to upstream version
---
 ...alidation-for-the-socket-syscall-protocol.patch | 75 ++++++++++++++++------
 1 file changed, 57 insertions(+), 18 deletions(-)

diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
index 10e6b65..fb9a94c 100644
--- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
+++ b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
@@ -1,7 +1,7 @@
 From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
 Subject: net: add validation for the socket syscall protocol argument
-Date: Mon, 14 Dec 2015 17:17:49 +0100
-Origin: http://article.gmane.org/gmane.linux.network/391482
+Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
 
 郭永刚 reported that one could simply crash the kernel as root by
 using a simple program:
@@ -36,21 +36,60 @@ kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
 I found no particular commit which introduced this problem.
 
 CVE: CVE-2015-8543
+Cc: Cong Wang <cwang at twopensource.com>
 Reported-by: 郭永刚 <guoyonggang at 360.cn>
 Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
 ---
- net/ipv4/af_inet.c  | 3 +++
- net/ipv6/af_inet6.c | 3 +++
- net/socket.c        | 3 +++
- 3 files changed, 9 insertions(+)
+ include/net/sock.h     | 1 +
+ net/ax25/af_ax25.c     | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c     | 3 +++
+ net/ipv6/af_inet6.c    | 3 +++
+ net/irda/af_irda.c     | 3 +++
+ 6 files changed, 16 insertions(+)
 
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -387,6 +387,7 @@ struct sock {
+ 				sk_no_check_rx : 1,
+ 				sk_userlocks : 4,
+ 				sk_protocol  : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ 				sk_type      : 16;
+ 	kmemcheck_bitfield_end(flags);
+ 	int			sk_wmem_queued;
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -805,6 +805,9 @@ static int ax25_create(struct net *net,
+ 	struct sock *sk;
+ 	ax25_cb *ax25;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st
+ {
+ 	struct sock *sk;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
 --- a/net/ipv4/af_inet.c
 +++ b/net/ipv4/af_inet.c
 @@ -261,6 +261,9 @@ static int inet_create(struct net *net,
  	int try_loading_module = 0;
  	int err;
  
-+	if (protocol >= IPPROTO_MAX)
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
 +		return -EINVAL;
 +
  	sock->state = SS_UNCONNECTED;
@@ -62,21 +101,21 @@ Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
  	int try_loading_module = 0;
  	int err;
  
-+	if (protocol >= IPPROTO_MAX)
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
 +		return -EINVAL;
 +
  	/* Look for the requested type/protocol pair. */
  lookup_protocol:
  	err = -ESOCKTNOSUPPORT;
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1105,6 +1105,9 @@ int __sock_create(struct net *net, int f
- 		return -EAFNOSUPPORT;
- 	if (type < 0 || type >= SOCK_MAX)
- 		return -EINVAL;
-+	/* upper bound should be tested by per-protocol .create callbacks */
-+	if (protocol < 0)
-+		return -EINVAL;
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net,
+ 	struct sock *sk;
+ 	struct irda_sock *self;
  
- 	/* Compatibility.
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (net != &init_net)
+ 		return -EAFNOSUPPORT;
  

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

