[linux] 04/11: ping: implement proper locking (CVE-2017-2671)

Wed Apr 26 23:25:01 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit abf28863c09c016ec158a22cb4bb91928411e979
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 26 23:18:25 2017 +0100

    ping: implement proper locking (CVE-2017-2671)
---
 debian/changelog                                   |  1 +
 .../bugfix/all/ping-implement-proper-locking.patch | 49 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 51 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 22e59e1..7ea7390 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -177,6 +177,7 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
   * KEYS: Reinstate EPERM for a key type name beginning with a '.'
   * KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
     (CVE-2016-9604)
+  * ping: implement proper locking (CVE-2017-2671)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:12:35 +0000
 
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
new file mode 100644
index 0000000..d403747
--- /dev/null
+++ b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
@@ -0,0 +1,49 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: ping: implement proper locking
+Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
+Reported-by: Solar Designer <solar at openwall.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+---
+ net/ipv4/ping.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -135,16 +135,17 @@ static void ping_v4_hash(struct sock *sk
+ static void ping_v4_unhash(struct sock *sk)
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
++
+ 	pr_debug("ping_v4_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
++	write_lock_bh(&ping_table.lock);
+ 	if (sk_hashed(sk)) {
+-		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
+ 		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+-		write_unlock_bh(&ping_table.lock);
+ 	}
++	write_unlock_bh(&ping_table.lock);
+ }
+ 
+ static struct sock *ping_v4_lookup(struct net *net, u32 saddr, u32 daddr,
diff --git a/debian/patches/series b/debian/patches/series
index 36dc541..06ef18a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1111,6 +1111,7 @@ bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
 bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
 bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
 bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
+bugfix/all/ping-implement-proper-locking.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

