Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2319567pxb; Mon, 20 Sep 2021 18:42:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+9+xPcVlyuRmlpWWlm3Wlf22GUAtZrHnX/dQZ3u5V8vjnCKJlFlyE1WGC6Gnyt7FvptYr X-Received: by 2002:a02:8606:: with SMTP id e6mr16856022jai.122.1632188568015; Mon, 20 Sep 2021 18:42:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188568; cv=none; d=google.com; s=arc-20160816; b=faaCHd0LwYTrXwnIP6hyX2H201RHVz+e0MgHJGlxtsP1fvRU1JM9iXnTNn7dV/JpKM NLhIODhVXS1XlNFhr1wVphin0LiYqhHns7zRkjJ3NpGUPHQFGEsWa+Yhw2LnmkY4cCa/ idIfukRGJyZUBEMFX5MtCW+McE+BjxOt/CuH4bTJEDKVaHwxPmX6aEcGoYOCDEoGoPfh Nk6iVF+DlOIfPbStQjGZie1lHKWlOFzzNHqFWYJRtAGZk7nw7Em37ZyMRrGdd8ndzF4n iYE52W7U/Tzs6l9sKGuyiWv4nPWnUJM1dGobDVK1GNJhsXfi2qgqTLljLMt8Wa7SryNx 7BPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ih00/e2Or1y9A04hySdcvod+k7aWDa7zxjdLpoOXq5o=; b=zghSmVHeNw77txFkpcgNWP66sB8WSLqWNx/ySBvAKUeGNOrab2T4jmgdpm9f+PPoTi BoigRTJMlDbb+PL1FqqlWuq46OgQ+wEqzmWNzsieUWrdNfZ+fd0wOgqCBJyJHKOB/05L 0CDJdWqo5/geejkNw6wfSIaMdg+6aRI4lSlTuVqcFAjjRkd0ksJXUfIM/Av/m+sNkl5c 3yRqIxg8/1i0EFuP37U74WkE+gg/GyMv6/CuG21y+AMnCF0dYF+3ooZLLwqbgjWCNteP /954xx2bEFYxVTr0uhYqQpsMK3FEBtzU6M7wIc5/Jfh58HzYx2OOs9sz2v4l9hV4KgDm 8Nxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XttcY+Co; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c30si13389446jaf.100.2021.09.20.18.42.37; Mon, 20 Sep 2021 18:42:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XttcY+Co; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243400AbhITQzv (ORCPT + 99 others); Mon, 20 Sep 2021 12:55:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:36916 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244428AbhITQvv (ORCPT ); Mon, 20 Sep 2021 12:51:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B5B996135A; Mon, 20 Sep 2021 16:49:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156576; bh=majAfURPlNb5whgNhDrheNAcJqNtvvCLHHE6FbT2yNc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XttcY+Co4hZNDtECRUB51LOCdJqJosPsffXwL5WeLLi53oKuRdrb9vJoRYoETjBdR UE1dbsozoaB5+E55aKvVxRFCoMtMGsAwcBmr4LA91GVIuc+xuVEkqkGxxvRfDTvBQG D8rYJTVA+of5YLoTsMVAjOjUtX3RI7D8xtfW6U5M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhenpeng Lin , "David S. Miller" Subject: [PATCH 4.4 121/133] dccp: dont duplicate ccid when cloning dccp sock Date: Mon, 20 Sep 2021 18:43:19 +0200 Message-Id: <20210920163916.581379521@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lin, Zhenpeng commit d9ea761fdd197351890418acd462c51f241014a7 upstream. Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed a UAF but reintroduced CVE-2017-6074. When the sock is cloned, two dccps_hc_tx_ccid will reference to the same ccid. So one can free the ccid object twice from two socks after cloning. This issue was found by "Hadar Manor" as well and assigned with CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port the patch from Ubuntu to fix it. The patch prevents cloned socks from referencing the same ccid. Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...") Signed-off-by: Zhenpeng Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/dccp/minisocks.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/dccp/minisocks.c +++ b/net/dccp/minisocks.c @@ -92,6 +92,8 @@ struct sock *dccp_create_openreq_child(c newdp->dccps_role = DCCP_ROLE_SERVER; newdp->dccps_hc_rx_ackvec = NULL; newdp->dccps_service_list = NULL; + newdp->dccps_hc_rx_ccid = NULL; + newdp->dccps_hc_tx_ccid = NULL; newdp->dccps_service = dreq->dreq_service; newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo; newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;