blob: 98a675a7fd2bc04424b1e8190f0496b3b9cff7cc (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Description: In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking
References:
https://source.android.com/security/bulletin/pixel/2020-12-01
Notes:
carnil> From contact with the Android security team we only know:
carnil> Android Security team did some research on the 4.14.y series
carnil> which they use in this product and found that apparently a code
carnil> change between 4.14.170 and 4.14.180 fixed the issue. It was
carnil> though not clear exactly which change resolved the
carnil> vulnerability. For 4.14.y it is believed that all versions from
carnil> 4.14.180 up are fixed. This still leaves open which is/are the
carnil> upstream commits adressing the issue and so to determine the
carnil> state for the other branches.
carnil> Could it be possibly related to 4c59406ed003 ("xfrm: policy:
carnil> Fix doulbe free in xfrm_policy_timer") which was 5.6, 5.5.14,
carnil> 5.4.29, 4.19.114, 4.14.175, 4.9.218 and 4.4.218?
carnil> Android Security team indicated that this indeed seem a good
carnil> candidate.
Bugs:
upstream:
5.10-upstream-stable:
4.19-upstream-stable:
4.9-upstream-stable:
sid:
4.19-buster-security:
4.9-stretch-security:
|