[linux] 02/02: Revert "sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)"
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Feb 22 02:50:52 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 36bf801ab5aee7839ef4748bc2847a6797ae2b6e
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Feb 22 02:43:22 2017 +0000
Revert "sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)"
This reverts commit e30539599f3c7541f850130b6fd7b2d298436a07. The
upstream fix introduces a double-unlock and potential double-free:
https://marc.info/?l=linux-sctp&m=148770688203103&w=2
---
debian/changelog | 1 -
...sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 39 ----------------------
debian/patches/series | 1 -
3 files changed, 41 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4643090..40e9266 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,7 +5,6 @@ linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
* perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
(CVE-2017-6001)
* dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074)
- * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
[ Ben Hutchings ]
* perf: Do not double free (dependency of fix for CVE-2017-6001)
diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index 0fcbbcf..0000000
--- a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov at linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 37eeab7..e214d2e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- */
- release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- BUG_ON(sk != asoc->base.sk);
-+ if (sk != asoc->base.sk)
-+ goto do_error;
- lock_sock(sk);
-
- *timeo_p = current_timeo;
---
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 0446165..08106a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -683,7 +683,6 @@ bugfix/all/perf-Fix-event-ctx-locking.patch
bugfix/all/perf-do-not-double-free.patch
bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
-bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
bugfix/all/fbdev-color-map-copying-bounds-checking.patch
bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list