blob: 558fa90d16f54d347a3554ea8fa99a8b6279ee89 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Description: TCP reconnection use-after-free
References:
https://lore.kernel.org/stable/20190813115317.6cgml2mckd3c6u7z@decadent.org.uk/
https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf
Notes:
bwh> Introduced by backports of commit 7f582b248d0a
bwh> "tcp: purge write queue in tcp_connect_init()" to stable.
bwh> Upstream avoided this issue due to the earlier commit
bwh> 75c119afe14f "tcp: implement rb-tree based retransmit queue".
carnil> As pointed out by Ben, in https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk/
carnil> the issue got already fixed by dbbf2d1e4077 ("tcp: reset
carnil> sk_send_head in tcp_write_queue_purge") in 4.14.32, which got
carnil> backported to 4.4.187 and 4.9.187.
Bugs:
upstream: N/A "Vulnerability never present"
4.19-upstream-stable: N/A "Vulnerability never present"
4.9-upstream-stable: released (4.9.187) [704533394e488a109fe46ab3693315376c3824d5]
3.16-upstream-stable: released (3.16.73) [3157fbc900bdb366b2186e5a6e506cc5e4697cf0]
sid: N/A "Vulnerability never present"
4.19-buster-security: N/A "Vulnerability never present"
4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/tcp-clear-sk_send_head-after-purging-the-write-queue.patch]
3.16-jessie-security: released (3.16.72-1) [bugfix/all/tcp-clear-sk_send_head-after-purging-the-write-queue.patch]
|