diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2016-09-07 21:27:44 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2016-09-07 21:27:44 +0100 |
| commit | 95a7eda1776e354acfa8aa6175706310f685e353 (patch) | |
| tree | eb0c69edfbd52576e4f2ab989043a6ef44329325 | |
| parent | 7a4881e4d1723f80254e14f49614a8c90ef5996a (diff) | |
| download | kernel_replicant_linux-95a7eda1776e354acfa8aa6175706310f685e353.tar.gz kernel_replicant_linux-95a7eda1776e354acfa8aa6175706310f685e353.tar.bz2 kernel_replicant_linux-95a7eda1776e354acfa8aa6175706310f685e353.zip | |
Update to 4.8-rc5
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch | 50 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 1 insertions, 52 deletions
diff --git a/debian/changelog b/debian/changelog index 86d0e36380d4..b734d2131821 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.8~rc4-1~exp1) UNRELEASED; urgency=medium +linux (4.8~rc5-1~exp1) UNRELEASED; urgency=medium * New upstream release candidate diff --git a/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch deleted file mode 100644 index 47edeb396cd6..000000000000 --- a/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 17 Aug 2016 05:56:26 -0700 -Subject: tcp: fix use after free in tcp_xmit_retransmit_queue() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=bb1fceca22492109be12640d49f5ea5a544c6bb4 - -When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the -tail of the write queue using tcp_add_write_queue_tail() - -Then it attempts to copy user data into this fresh skb. - -If the copy fails, we undo the work and remove the fresh skb. - -Unfortunately, this undo lacks the change done to tp->highest_sack and -we can leave a dangling pointer (to a freed skb) - -Later, tcp_xmit_retransmit_queue() can dereference this pointer and -access freed memory. For regular kernels where memory is not unmapped, -this might cause SACK bugs because tcp_highest_sack_seq() is buggy, -returning garbage instead of tp->snd_nxt, but with various debug -features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. - -This bug was found by Marco Grassi thanks to syzkaller. - -Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") -Reported-by: Marco Grassi <marco.gra@gmail.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Neal Cardwell <ncardwell@google.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/net/tcp.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1522,6 +1522,8 @@ static inline void tcp_check_send_head(s - { - if (sk->sk_send_head == skb_unlinked) - sk->sk_send_head = NULL; -+ if (tcp_sk(sk)->highest_sack == skb_unlinked) -+ tcp_sk(sk)->highest_sack = NULL; - } - - static inline void tcp_init_send_head(struct sock *sk) diff --git a/debian/patches/series b/debian/patches/series index 8583c2c168bc..51137e05f5f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -94,7 +94,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch # ABI maintenance |