From 9883f903b2c773b1de94843adeb8691d56e0c4db Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Apr 2014 07:38:57 -0400 Subject: [PATCH] CVE-2014-2851 net ipv4 ping refcount issue in ping_init_sock (rhbz 1086730 1087420) --- kernel.spec | 9 +++ ...group_info-should-be-put-after-using.patch | 64 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 net-ipv4-current-group_info-should-be-put-after-using.patch diff --git a/kernel.spec b/kernel.spec index d886e7c04..f56f70f93 100644 --- a/kernel.spec +++ b/kernel.spec @@ -636,6 +636,9 @@ Patch25060: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch #rhbz 1048314 Patch25062: 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch +#CVE-2014-2851 rhbz 1086730 1087420 +Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch + # END OF PATCH DEFINITIONS %endif @@ -1281,6 +1284,9 @@ ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch #rhbz 1048314 ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch +#CVE-2014-2851 rhbz 1086730 1087420 +ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch + # END OF PATCH APPLICATIONS %endif @@ -2060,6 +2066,9 @@ fi # ||----w | # || || %changelog +* Mon Apr 14 2014 Josh Boyer +- CVE-2014-2851 net ipv4 ping refcount issue in ping_init_sock (rhbz 1086730 1087420) + * Sun Apr 13 2014 Josh Boyer - 3.15.0-0.rc0.git13.1 - Linux v3.14-12812-g321d03c86732 diff --git a/net-ipv4-current-group_info-should-be-put-after-using.patch b/net-ipv4-current-group_info-should-be-put-after-using.patch new file mode 100644 index 000000000..265b3839b --- /dev/null +++ b/net-ipv4-current-group_info-should-be-put-after-using.patch @@ -0,0 +1,64 @@ +Bugzilla: 1087420 +Upstream-status: Queued for 3.15 and stable + +From b04c46190219a4f845e46a459e3102137b7f6cac Mon Sep 17 00:00:00 2001 +From: "Wang, Xiaoming" +Date: Mon, 14 Apr 2014 12:30:45 -0400 +Subject: net: ipv4: current group_info should be put after using. + +Plug a group_info refcount leak in ping_init. +group_info is only needed during initialization and +the code failed to release the reference on exit. +While here move grabbing the reference to a place +where it is actually needed. + +Signed-off-by: Chuansheng Liu +Signed-off-by: Zhang Dongxing +Signed-off-by: xiaoming wang +Signed-off-by: David S. Miller + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index f4b19e5..8210964 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk) + { + struct net *net = sock_net(sk); + kgid_t group = current_egid(); +- struct group_info *group_info = get_current_groups(); +- int i, j, count = group_info->ngroups; ++ struct group_info *group_info; ++ int i, j, count; + kgid_t low, high; ++ int ret = 0; + + inet_get_ping_group_range_net(net, &low, &high); + if (gid_lte(low, group) && gid_lte(group, high)) + return 0; + ++ group_info = get_current_groups(); ++ count = group_info->ngroups; + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); + for (j = 0; j < cp_count; j++) { + kgid_t gid = group_info->blocks[i][j]; + if (gid_lte(low, gid) && gid_lte(gid, high)) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + EXPORT_SYMBOL_GPL(ping_init_sock); + +-- +cgit v0.10.1 +