[linux] 01/01: Revert "sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)"
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Feb 22 02:50:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit b282f5f68d06942ac5d72332aab1ed07f3b736a9
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Feb 22 02:41:23 2017 +0000
Revert "sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)"
This reverts commit f5a644cb8adba67dca633e7200d0c0d66a4af3c3. The
upstream fix introduces a double-unlock and potential double-free:
https://marc.info/?l=linux-sctp&m=148770688203103&w=2
---
debian/changelog | 1 -
...sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 35 ----------------------
debian/patches/series | 1 -
3 files changed, 37 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 72d18f5..b5aca88 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,7 +2,6 @@ linux (3.2.84-2) UNRELEASED; urgency=high
[ Salvatore Bonaccorso ]
* dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074)
- * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
[ Ben Hutchings ]
* [arm*] dma-mapping: don't allow DMA mappings to be marked executable
diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index 6e059ce..0000000
--- a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov at linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[carnil: backport for context in 3.2]
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -6480,7 +6480,8 @@ static int sctp_wait_for_sndbuf(struct s
- */
- sctp_release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- BUG_ON(sk != asoc->base.sk);
-+ if (sk != asoc->base.sk)
-+ goto do_error;
- sctp_lock_sock(sk);
-
- *timeo_p = current_timeo;
diff --git a/debian/patches/series b/debian/patches/series
index 6d5c5c1..c75c011 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1126,7 +1126,6 @@ bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
-bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch
bugfix/all/media-info-leak-in-__media_device_enum_links.patch
bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list