Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2350678pxb; Mon, 20 Sep 2021 19:46:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyprteHcQA2lCuRmqak7hYXL8dBM+a1Vqf3sSDDaosiV4DlrckY/8oi+yiHfeVuN/xrB+AV X-Received: by 2002:a17:906:6148:: with SMTP id p8mr32148566ejl.17.1632192360652; Mon, 20 Sep 2021 19:46:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192360; cv=none; d=google.com; s=arc-20160816; b=Y+E1DEfv8eCJiXsZJHz2vhgBCd8Vnhh4SDcB2JLtRqleB9uGzEYTiS4NvuswVrmfd7 260MciVleZq3VySCD2dcENbeiVn3RZwXFWqoLZyWzADvM2BghBtDieLM/KtxS/vLKxP0 dzlPThBOdTHsFr1qgq0Xyl8ie+ib8xcT9nZF3/gqeeAEbugolhSz9eQ/rVNuKjPkzDJL +kFTRp1CMYRcJK9aMcU4ahqx033kOP1PPxJ1rJC58SrLoPNstB7MkOGgWB0MhY9PKX3G FRVKuJpF9a/NVBytvqPSdOzOxZi/sVtQaBIsop828lbz6J8C+a25JEkl5wxd2Vc1aWVO cXvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Z7PJ9OYozDh3PXKs+9X1etNROD/uax5Gg8Vn7opN3zY=; b=BRcFYFSQNJT5WpK4psG7wEu1yJmskGwODapIqrpps7kVYsHAorxmlSpFXCh9RWM1ZF 9jdxAReSb50WKPZ7CUdLcC2IySXQqJsOMbELg/8nqhrbC9kqHl6/o2fzyytoz+f4Na6b 37vKd/qQzTZ9PoEVtbcBOEBtCqAaPHC0LXfbNxS42hckQoVHVcMOmeragj1OpWluKNtv fhuoCtdW+ian+CLYrlbx+Zrh8zncwaFP8zOAJu7IG3vROsNC3Uoz9UR1l3zw5lJO9137 PNYno4uH4fvYnrUZrsz/SgR2Sl0iNr5wvofnaMzLfO18fJItpTtbviofW0SqAgi+tW6q HwiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="rGOSMOE/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bi20si17999974ejb.575.2021.09.20.19.45.36; Mon, 20 Sep 2021 19:46:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="rGOSMOE/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378728AbhITS0C (ORCPT + 99 others); Mon, 20 Sep 2021 14:26:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:40362 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377310AbhITSSS (ORCPT ); Mon, 20 Sep 2021 14:18:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D7C2161A63; Mon, 20 Sep 2021 17:22:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632158560; bh=nlLP1PcMFvreRz2bXlOXcM6f5l++eOJOjZaNDzVxO4c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rGOSMOE/D00qCB0qgEPxZDhZ2SIwW1YK2jT9LAT4eidXBINcORqDLuPkWPfWM6qOv ZsOuZIwXRVehhxF6PkHz2fjU3FpDYsKP1Kwxvuf7PEpnYFmaBcpX3k39vfpZ1jbpjK SEBXCf958pwmeLH7Nj8D2IXCijNcr2B6vIuHhCUw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhenpeng Lin , "David S. Miller" Subject: [PATCH 5.4 212/260] dccp: dont duplicate ccid when cloning dccp sock Date: Mon, 20 Sep 2021 18:43:50 +0200 Message-Id: <20210920163938.309822216@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163931.123590023@linuxfoundation.org> References: <20210920163931.123590023@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lin, Zhenpeng commit d9ea761fdd197351890418acd462c51f241014a7 upstream. Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed a UAF but reintroduced CVE-2017-6074. When the sock is cloned, two dccps_hc_tx_ccid will reference to the same ccid. So one can free the ccid object twice from two socks after cloning. This issue was found by "Hadar Manor" as well and assigned with CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port the patch from Ubuntu to fix it. The patch prevents cloned socks from referencing the same ccid. Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...") Signed-off-by: Zhenpeng Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/dccp/minisocks.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/dccp/minisocks.c +++ b/net/dccp/minisocks.c @@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(c newdp->dccps_role = DCCP_ROLE_SERVER; newdp->dccps_hc_rx_ackvec = NULL; newdp->dccps_service_list = NULL; + newdp->dccps_hc_rx_ccid = NULL; + newdp->dccps_hc_tx_ccid = NULL; newdp->dccps_service = dreq->dreq_service; newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo; newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;