blob: c0335d5c27ec09004e634b48f4070556e0d59afe (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Description: In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking
References:
https://source.android.com/security/bulletin/pixel/2020-12-01
Notes:
carnil> From contact with the Android security team we only know:
carnil> Android Security team did some research on the 4.14.y series
carnil> which they use in this product and found that apparently a code
carnil> change between 4.14.170 and 4.14.180 fixed the issue. It was
carnil> though not clear exactly which change resolved the
carnil> vulnerability. For 4.14.y it is believed that all versions from
carnil> 4.14.180 up are fixed. This still leaves open which is/are the
carnil> upstream commits adressing the issue and so to determine the
carnil> state for the other branches.
carnil> Could it be possibly related to 4c59406ed003 ("xfrm: policy:
carnil> Fix doulbe free in xfrm_policy_timer") which was 5.6, 5.5.14,
carnil> 5.4.29, 4.19.114, 4.14.175, 4.9.218 and 4.4.218?
carnil> Android Security team indicated that this indeed seem a good
carnil> candidate.
bwh> Commit 4c59406ed003 fixes double-free of xfrm_policy, but I'm
bwh> not sure how it relates to a use-after-free in xfrm6_tunnel
bwh> (xfrm6_tunnel_free_spi() is called via __xfrm_state_destroy(),
bwh> via xfrm_state_put(), so what calls that?). However I agree
bwh> it is the only commit in that range that could plausibly have
bwh> fixed the issue.
Bugs:
upstream: released (5.6) [4c59406ed00379c8663f8663d82b2537467ce9d7]
5.10-upstream-stable: N/A "Fixed before branch point"
4.19-upstream-stable: released (4.19.114) [7ad217a824f7fab1e8534a6dfa82899ae1900bcb]
4.9-upstream-stable: released (4.9.218) [86e98ce7de083649e330d518e98a80b9e39b5d43]
sid: released (5.5.17-1)
4.19-buster-security: released (4.19.118-1)
4.9-stretch-security: released (4.9.228-1)
|