[linux] 01/01: ping: implement proper locking (CVE-2017-2671)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Apr 8 07:20:09 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 43f7156d3ac387d4c470a0dce667a101b7846382
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Apr 8 09:16:56 2017 +0200

    ping: implement proper locking (CVE-2017-2671)
---
 debian/changelog                                   |  4 ++
 .../bugfix/all/ping-implement-proper-locking.patch | 54 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 59 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b49679b..b223cf0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 linux (4.9.18-2) UNRELEASED; urgency=medium
 
+  [ Ben Hutchings ]
   * w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
   * debian/rules.real: Undefine $LANGUAGE, which can break debug symbols for
     vDSOs (Closes: #859807)
@@ -10,6 +11,9 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
   * drm/nouveau/disp/mcp7x: disable dptmds workaround (Closes: #850219)
   * [powerpc/powerpc64,ppc64*] target: Enable SCSI_IBMVSCSIS as module
 
+  [ Salvatore Bonaccorso ]
+  * ping: implement proper locking (CVE-2017-2671)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 30 Mar 2017 18:27:30 +0100
 
 linux (4.9.18-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
new file mode 100644
index 0000000..d7b4b83
--- /dev/null
+++ b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
@@ -0,0 +1,54 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: ping: implement proper locking
+Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
+Reported-by: Solar Designer <solar at openwall.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/ping.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 2af6244b83e2..ccfbce13a633 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
+ void ping_unhash(struct sock *sk)
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
++
+ 	pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
++	write_lock_bh(&ping_table.lock);
+ 	if (sk_hashed(sk)) {
+-		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
+ 		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+-		write_unlock_bh(&ping_table.lock);
+ 	}
++	write_unlock_bh(&ping_table.lock);
+ }
+ EXPORT_SYMBOL_GPL(ping_unhash);
+ 
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index d59f122..c10d9fd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -130,6 +130,7 @@ bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+bugfix/all/ping-implement-proper-locking.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list