Description: TCP reconnection use-after-free References: https://lore.kernel.org/stable/20190813115317.6cgml2mckd3c6u7z@decadent.org.uk/ https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf Notes: bwh> Introduced by backports of commit 7f582b248d0a bwh> "tcp: purge write queue in tcp_connect_init()" to stable. bwh> Upstream avoided this issue due to the earlier commit bwh> 75c119afe14f "tcp: implement rb-tree based retransmit queue". carnil> As pointed out by Ben, in https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk/ carnil> the issue got already fixed by dbbf2d1e4077 ("tcp: reset carnil> sk_send_head in tcp_write_queue_purge") in 4.14.32, which got carnil> backported to 4.4.187 and 4.9.187. Bugs: upstream: N/A "Vulnerability never present" 4.19-upstream-stable: N/A "Vulnerability never present" 4.9-upstream-stable: released (4.9.187) [704533394e488a109fe46ab3693315376c3824d5] 3.16-upstream-stable: released (3.16.73) [3157fbc900bdb366b2186e5a6e506cc5e4697cf0] sid: N/A "Vulnerability never present" 4.19-buster-security: N/A "Vulnerability never present" 4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/tcp-clear-sk_send_head-after-purging-the-write-queue.patch] 3.16-jessie-security: released (3.16.72-1) [bugfix/all/tcp-clear-sk_send_head-after-purging-the-write-queue.patch]