anthias: security: net patch for CVE-2016-3841
pv6: add complete rcu protection around np->opt This patch addresses multiple problems : UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions while socket is not locked : Other threads can change np->opt concurrently. Dmitry posted a syzkaller (http://github.com/google/syzkaller) program desmonstrating use-after-free. Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock() and dccp_v6_request_recv_sock() also need to use RCU protection to dereference np->opt once (before calling ipv6_dup_options()) This patch adds full RCU protection to np->opt Change-Id: I93a999026e0f95d2ae0cc03948d2cfff6e62a2d5 Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249052 Tested-by:Carol_Jiang <carol_jiang@asus.com> Reviewed-by:
Carol_Jiang <carol_jiang@asus.com>
Showing
- include/linux/ipv6.h 1 addition, 1 deletioninclude/linux/ipv6.h
- include/net/ipv6.h 20 additions, 1 deletioninclude/net/ipv6.h
- net/dccp/ipv6.c 21 additions, 12 deletionsnet/dccp/ipv6.c
- net/ipv6/af_inet6.c 9 additions, 4 deletionsnet/ipv6/af_inet6.c
- net/ipv6/datagram.c 3 additions, 1 deletionnet/ipv6/datagram.c
- net/ipv6/exthdrs.c 2 additions, 1 deletionnet/ipv6/exthdrs.c
- net/ipv6/inet6_connection_sock.c 8 additions, 3 deletionsnet/ipv6/inet6_connection_sock.c
- net/ipv6/ipv6_sockglue.c 24 additions, 12 deletionsnet/ipv6/ipv6_sockglue.c
- net/ipv6/raw.c 6 additions, 2 deletionsnet/ipv6/raw.c
- net/ipv6/syncookies.c 1 addition, 1 deletionnet/ipv6/syncookies.c
- net/ipv6/tcp_ipv6.c 17 additions, 10 deletionsnet/ipv6/tcp_ipv6.c
- net/ipv6/udp.c 6 additions, 2 deletionsnet/ipv6/udp.c
- net/l2tp/l2tp_ip6.c 6 additions, 2 deletionsnet/l2tp/l2tp_ip6.c
Please register or sign in to comment