Message ID | 20220621190912.355417-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2022-28356 followup | expand |
On 6/21/22 13:09, Thadeu Lima de Souza Cascardo wrote: > [Impact] > When binding an already bound LLC socket, network devices references would > be put, leading to a use-after-free. > > [Test case] > A program binding an LLC socket multiple times was used to test this. > > [Backport] > A pre-req commit is included as it allows dev_put to be called with a NULL parameter. > The fix is the one applied to 5.10.y tree as the upstream version of the > original fix required a new function that is not present on 5.13. > > [Review] > Other error paths on the affected functions were reviewed. > > [Potential regression] > LLC socket users would be affected. LLC require CAP_NET_RAW on the initial network namespace. > > Eric Dumazet (1): > llc: only change llc->dev when bind() succeeds > > Yajun Deng (1): > netdevice: add the case if dev is NULL > > include/linux/netdevice.h | 12 ++++++--- > net/llc/af_llc.c | 57 ++++++++++++++++++++++----------------- > 2 files changed, 40 insertions(+), 29 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 21.06.22 21:09, Thadeu Lima de Souza Cascardo wrote: > [Impact] > When binding an already bound LLC socket, network devices references would > be put, leading to a use-after-free. > > [Test case] > A program binding an LLC socket multiple times was used to test this. > > [Backport] > A pre-req commit is included as it allows dev_put to be called with a NULL parameter. > The fix is the one applied to 5.10.y tree as the upstream version of the > original fix required a new function that is not present on 5.13. > > [Review] > Other error paths on the affected functions were reviewed. > > [Potential regression] > LLC socket users would be affected. LLC require CAP_NET_RAW on the initial network namespace. > > Eric Dumazet (1): > llc: only change llc->dev when bind() succeeds > > Yajun Deng (1): > netdevice: add the case if dev is NULL > > include/linux/netdevice.h | 12 ++++++--- > net/llc/af_llc.c | 57 ++++++++++++++++++++++----------------- > 2 files changed, 40 insertions(+), 29 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 21.06.22 21:09, Thadeu Lima de Souza Cascardo wrote: > [Impact] > When binding an already bound LLC socket, network devices references would > be put, leading to a use-after-free. > > [Test case] > A program binding an LLC socket multiple times was used to test this. > > [Backport] > A pre-req commit is included as it allows dev_put to be called with a NULL parameter. > The fix is the one applied to 5.10.y tree as the upstream version of the > original fix required a new function that is not present on 5.13. > > [Review] > Other error paths on the affected functions were reviewed. > > [Potential regression] > LLC socket users would be affected. LLC require CAP_NET_RAW on the initial network namespace. > > Eric Dumazet (1): > llc: only change llc->dev when bind() succeeds > > Yajun Deng (1): > netdevice: add the case if dev is NULL > > include/linux/netdevice.h | 12 ++++++--- > net/llc/af_llc.c | 57 ++++++++++++++++++++++----------------- > 2 files changed, 40 insertions(+), 29 deletions(-) > Applied instead to focal:linux-hwe-5.13/hwe-5.13-next. Thanks. -Stefan