summarylogtreecommitdiffstats
path: root/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
diff options
context:
space:
mode:
Diffstat (limited to 'CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch')
-rw-r--r--CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch74
1 files changed, 0 insertions, 74 deletions
diff --git a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
deleted file mode 100644
index fe1fb10929bb..000000000000
--- a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <simo.ghannam@gmail.com>
-Date: Sun, 10 Dec 2017 03:50:58 +0000
-Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
-
-inet->hdrincl is racy, and could lead to uninitialized stack pointer
-usage, so its value should be read only once.
-
-Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
-Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/raw.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 33b70bfd1122..125c1eab3eaa 100644
---- a/net/ipv4/raw.c
-+++ b/net/ipv4/raw.c
-@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- int err;
- struct ip_options_data opt_copy;
- struct raw_frag_vec rfv;
-+ int hdrincl;
-
- err = -EMSGSIZE;
- if (len > 0xFFFF)
- goto out;
-
-+ /* hdrincl should be READ_ONCE(inet->hdrincl)
-+ * but READ_ONCE() doesn't work with bit fields
-+ */
-+ hdrincl = inet->hdrincl;
- /*
- * Check the flags.
- */
-@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- /* Linux does not mangle headers on raw sockets,
- * so that IP options + IP_HDRINCL is non-sense.
- */
-- if (inet->hdrincl)
-+ if (hdrincl)
- goto done;
- if (ipc.opt->opt.srr) {
- if (!daddr)
-@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
-
- flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
- RT_SCOPE_UNIVERSE,
-- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
- inet_sk_flowi_flags(sk) |
-- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
-+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
- daddr, saddr, 0, 0, sk->sk_uid);
-
-- if (!inet->hdrincl) {
-+ if (!hdrincl) {
- rfv.msg = msg;
- rfv.hlen = 0;
-
-@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- goto do_confirm;
- back_from_confirm:
-
-- if (inet->hdrincl)
-+ if (hdrincl)
- err = raw_send_hdrinc(sk, &fl4, msg, len,
- &rt, msg->msg_flags, &ipc.sockc);
-
---
-2.15.1
-