[linux] 01/01: sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Feb 15 10:56:07 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 58fbff3df5d6f8caa5353c464db7eb58d3bb3450
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Wed Feb 15 11:54:35 2017 +0100
sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
---
debian/changelog | 1 +
...sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 39 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 41 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 7221d92..f2089d6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -198,6 +198,7 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
* IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
+ * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 27 Jan 2017 18:14:31 +0000
diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
new file mode 100644
index 0000000..0fcbbcf
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
@@ -0,0 +1,39 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Mon, 6 Feb 2017 18:10:31 -0200
+Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
+Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
+
+Alexander Popov reported that an application may trigger a BUG_ON in
+sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
+waiting on it to queue more data and meanwhile another thread peels off
+the association being used by the first thread.
+
+This patch replaces the BUG_ON call with a proper error handling. It
+will return -EPIPE to the original sendmsg call, similarly to what would
+have been done if the association wasn't found in the first place.
+
+Acked-by: Alexander Popov <alex.popov at linux.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 37eeab7..e214d2e 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ */
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+- BUG_ON(sk != asoc->base.sk);
++ if (sk != asoc->base.sk)
++ goto do_error;
+ lock_sock(sk);
+
+ *timeo_p = current_timeo;
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index cbd1721..9ae396f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -107,6 +107,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
+bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list