UbiquitousOS
/
anolis-cloud-kernel
mirror of https://gitee.com/anolis/cloud-kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
anolis-cloud-kernel/net/dccp
History
Lin, Zhenpeng f2ed7bd67f dccp: don't duplicate ccid when cloning dccp sock 
OpenAnolis Bug Tracker: 0000434

commit d9ea761fdd upstream.

Commit 2677d20677 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: 2677d20677 ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fixes: CVE-2020-16119
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Acked-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
 		2021-10-29 10:12:40 +08:00
..
ccids dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() 2018-08-07 15:34:44 -07:00
Kconfig net: dccp: Remove dccpprobe module 2018-01-02 14:27:30 -05:00
Makefile net: dccp: Remove dccpprobe module 2018-01-02 14:27:30 -05:00
ackvec.c net: dccp: drop unneeded newline 2018-01-02 13:49:32 -05:00
ackvec.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
ccid.c dccp: drop null test before destroy functions 2015-09-15 16:49:43 -07:00
ccid.h dccp: fool proof ccid_hc_[rt]x_parse_options() 2019-02-12 19:47:21 +01:00
dccp.h Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
diag.c sock_diag: specify info_size per inet protocol 2015-06-15 19:49:22 -07:00
feat.c dccp: Fix memleak in __feat_register_sp 2020-03-18 23:26:36 +08:00
feat.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
input.c tcp/dccp: fix lockdep issue when SYN is backlogged 2018-10-01 15:42:13 -07:00
ipv4.c inet: stop leaking jiffies on the wire 2019-11-10 11:27:37 +01:00
ipv6.c net: ipv6: add net argument to ip6_dst_lookup_flow 2020-05-06 20:34:08 +08:00
ipv6.h inet: includes a sock_common in request_sock 2013-10-10 00:08:07 -04:00
minisocks.c dccp: don't duplicate ccid when cloning dccp sock 2021-10-29 10:12:40 +08:00
options.c net: dccp: mark expected switch fall-throughs 2017-10-16 21:15:21 +01:00
output.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
proto.c Revert "net: simplify sock_poll_wait" 2018-11-04 14:50:51 +01:00
qpolicy.c
sysctl.c dccp: make the request_retries minimum is 1 2014-05-14 15:34:16 -04:00
timer.c dccp: fix tasklet usage 2018-05-03 15:14:57 -04:00
trace.h net: dccp: Add DCCP sendmsg trace event 2018-01-02 14:27:30 -05:00