| Message ID | 1536951023-22712-2-git-send-email-tyhicks@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2018-5390 - Fix incorrect patch backport | expand |
Hold off on applying this change. There's still a discrepancy (+= vs = for the existing range_truesize assignment) between the 4.14.y stable branch and what this patch does. Tyler On 2018-09-14 18:50:23, Tyler Hicks wrote: > The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious > patterns in tcp_collapse_ofo_queue()") didn't increase the > range_truesize value in some situations. > > CVE-2018-5390 > > Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()") > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > --- > net/ipv4/tcp_input.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index ab79331a510e..4d5c79f40aac 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk) > end = TCP_SKB_CB(skb)->end_seq; > range_truesize += skb->truesize; > } else { > + range_truesize += skb->truesize; > if (before(TCP_SKB_CB(skb)->seq, start)) > start = TCP_SKB_CB(skb)->seq; > if (after(TCP_SKB_CB(skb)->end_seq, end)) > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2018-09-14 14:44:24, Tyler Hicks wrote: > Hold off on applying this change. There's still a discrepancy (+= vs = > for the existing range_truesize assignment) between the 4.14.y stable > branch and what this patch does. Yeah, I need one other change to correct the backport. I'll send out the corrected patch in a v2. Tyler > > Tyler > > On 2018-09-14 18:50:23, Tyler Hicks wrote: > > The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious > > patterns in tcp_collapse_ofo_queue()") didn't increase the > > range_truesize value in some situations. > > > > CVE-2018-5390 > > > > Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()") > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > > --- > > net/ipv4/tcp_input.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > > index ab79331a510e..4d5c79f40aac 100644 > > --- a/net/ipv4/tcp_input.c > > +++ b/net/ipv4/tcp_input.c > > @@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk) > > end = TCP_SKB_CB(skb)->end_seq; > > range_truesize += skb->truesize; > > } else { > > + range_truesize += skb->truesize; > > if (before(TCP_SKB_CB(skb)->seq, start)) > > start = TCP_SKB_CB(skb)->seq; > > if (after(TCP_SKB_CB(skb)->end_seq, end)) > > -- > > 2.7.4 > > > > > > -- > > kernel-team mailing list > > kernel-team@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/kernel-team > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ab79331a510e..4d5c79f40aac 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk) end = TCP_SKB_CB(skb)->end_seq; range_truesize += skb->truesize; } else { + range_truesize += skb->truesize; if (before(TCP_SKB_CB(skb)->seq, start)) start = TCP_SKB_CB(skb)->seq; if (after(TCP_SKB_CB(skb)->end_seq, end))
The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()") didn't increase the range_truesize value in some situations. CVE-2018-5390 Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()") Signed-off-by: Tyler Hicks <tyhicks@canonical.com> --- net/ipv4/tcp_input.c | 1 + 1 file changed, 1 insertion(+)