Commit 17e443be authored by Lin, Zhenpeng's avatar Lin, Zhenpeng Committed by Zheng Zengkai
Browse files

dccp: don't duplicate ccid when cloning dccp sock 

stable inclusion
from stable-5.10.68
commit 6c3cb65d561e76fd0398026c023e587fec70e188
bugzilla: 182671 https://gitee.com/openeuler/kernel/issues/I4EWUH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c3cb65d561e76fd0398026c023e587fec70e188



--------------------------------

commit d9ea761f upstream.

Commit 2677d206 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: 2677d206 ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: default avatarZhenpeng Lin <zplin@psu.edu>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
Acked-by: default avatarWeilong Chen <chenweilong@huawei.com>

Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent ca3fd11a
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment