[pve-kernel.git] / CVE-2017-9076_9077-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch

From ef8ae9e80ab0846763c6405968852e19c9a87782 Mon Sep 17 00:00:00 2001
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Wed, 7 Jun 2017 12:28:27 +0200
Subject: [PATCH] ipv6/dccp: do not inherit ipv6_mc_list from parent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-9076
CVE-2017-9077

(cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 net/dccp/ipv6.c     | 6 ++++++
 net/ipv6/tcp_ipv6.c | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 2f3e8bbe2cb9..8f41327c1edf 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
 		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
 		newnp->pktoptions  = NULL;
 		newnp->opt	   = NULL;
+		newnp->ipv6_mc_list = NULL;
+		newnp->ipv6_ac_list = NULL;
+		newnp->ipv6_fl_list = NULL;
 		newnp->mcast_oif   = inet6_iif(skb);
 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
 
@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
 	/* Clone RX bits */
 	newnp->rxopt.all = np->rxopt.all;
 
+	newnp->ipv6_mc_list = NULL;
+	newnp->ipv6_ac_list = NULL;
+	newnp->ipv6_fl_list = NULL;
 	newnp->pktoptions = NULL;
 	newnp->opt	  = NULL;
 	newnp->mcast_oif  = inet6_iif(skb);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index cfc232714139..c0ca1218801b 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1055,6 +1055,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
 #endif
 
+		newnp->ipv6_mc_list = NULL;
 		newnp->ipv6_ac_list = NULL;
 		newnp->ipv6_fl_list = NULL;
 		newnp->pktoptions  = NULL;
@@ -1124,6 +1125,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 	   First: no IPv4 options.
 	 */
 	newinet->inet_opt = NULL;
+	newnp->ipv6_mc_list = NULL;
 	newnp->ipv6_ac_list = NULL;
 	newnp->ipv6_fl_list = NULL;
 
-- 
2.11.0
Commit	Line	Data
0f831b3c FG	1	From ef8ae9e80ab0846763c6405968852e19c9a87782 Mon Sep 17 00:00:00 2001
	2	From: WANG Cong <xiyou.wangcong@gmail.com>
	3	Date: Wed, 7 Jun 2017 12:28:27 +0200
	4	Subject: [PATCH] ipv6/dccp: do not inherit ipv6_mc_list from parent
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
	10	we should clear ipv6_mc_list etc. for IPv6 sockets too.
	11
	12	Cc: Eric Dumazet <edumazet@google.com>
	13	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	14	Acked-by: Eric Dumazet <edumazet@google.com>
	15	Signed-off-by: David S. Miller <davem@davemloft.net>
	16
	17	CVE-2017-9076
	18	CVE-2017-9077
	19
	20	(cherry-picked from 83eaddab4378db256d00d295bda6ca997cd13a52)
	21	Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
	22	Acked-by: Colin Ian King <colin.king@canonical.com>
	23	Acked-by: Andy Whitcroft <apw@canonical.com>
	24	Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	25
	26	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	27	---
	28	net/dccp/ipv6.c \| 6 ++++++
	29	net/ipv6/tcp_ipv6.c \| 2 ++
	30	2 files changed, 8 insertions(+)
	31
	32	diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
	33	index 2f3e8bbe2cb9..8f41327c1edf 100644
	34	--- a/net/dccp/ipv6.c
	35	+++ b/net/dccp/ipv6.c
	36	@@ -426,6 +426,9 @@ static struct sock dccp_v6_request_recv_sock(const struct sock sk,
	37	newsk->sk_backlog_rcv = dccp_v4_do_rcv;
	38	newnp->pktoptions = NULL;
	39	newnp->opt = NULL;
	40	+ newnp->ipv6_mc_list = NULL;
	41	+ newnp->ipv6_ac_list = NULL;
	42	+ newnp->ipv6_fl_list = NULL;
	43	newnp->mcast_oif = inet6_iif(skb);
	44	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
	45
	46	@@ -490,6 +493,9 @@ static struct sock dccp_v6_request_recv_sock(const struct sock sk,
	47	/* Clone RX bits */
	48	newnp->rxopt.all = np->rxopt.all;
	49
	50	+ newnp->ipv6_mc_list = NULL;
	51	+ newnp->ipv6_ac_list = NULL;
	52	+ newnp->ipv6_fl_list = NULL;
	53	newnp->pktoptions = NULL;
	54	newnp->opt = NULL;
	55	newnp->mcast_oif = inet6_iif(skb);
	56	diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
	57	index cfc232714139..c0ca1218801b 100644
	58	--- a/net/ipv6/tcp_ipv6.c
	59	+++ b/net/ipv6/tcp_ipv6.c
	60	@@ -1055,6 +1055,7 @@ static struct sock tcp_v6_syn_recv_sock(const struct sock sk, struct sk_buff *
	61	newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
	62	#endif
	63
	64	+ newnp->ipv6_mc_list = NULL;
65	newnp->ipv6_ac_list = NULL;
66	newnp->ipv6_fl_list = NULL;
67	newnp->pktoptions = NULL;
68	@@ -1124,6 +1125,7 @@ static struct sock tcp_v6_syn_recv_sock(const struct sock sk, struct sk_buff *
69	First: no IPv4 options.
70	*/
71	newinet->inet_opt = NULL;
72	+ newnp->ipv6_mc_list = NULL;
73	newnp->ipv6_ac_list = NULL;
74	newnp->ipv6_fl_list = NULL;
75
76	--
77	2.11.0
78