]> git.baikalelectronics.ru Git - kernel.git/commitdiff
dccp: don't duplicate ccid when cloning dccp sock
authorLin, Zhenpeng <zplin@psu.edu>
Wed, 8 Sep 2021 03:40:59 +0000 (03:40 +0000)
committerDavid S. Miller <davem@davemloft.net>
Wed, 8 Sep 2021 10:28:35 +0000 (11:28 +0100)
Commit cfdb1d61c208 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: cfdb1d61c2085ae ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/dccp/minisocks.c

index c5c74a34d139d99fb58dc5cebe4d6a8d72a214ed..91e7a2202697143fddd1e81e2c528ea9bbc4ae4e 100644 (file)
@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
                newdp->dccps_role           = DCCP_ROLE_SERVER;
                newdp->dccps_hc_rx_ackvec   = NULL;
                newdp->dccps_service_list   = NULL;
+               newdp->dccps_hc_rx_ccid     = NULL;
+               newdp->dccps_hc_tx_ccid     = NULL;
                newdp->dccps_service        = dreq->dreq_service;
                newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
                newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;