[Devel] [PATCH RHEL9 COMMIT] ms/dccp: don't duplicate ccid when cloning dccp sock

Konstantin Khorenko khorenko at virtuozzo.com
Mon Dec 13 18:28:13 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.36
------>
commit 4ec146ffe3b2b5cab1615bf4709e3654a01b7f79
Author: Lin, Zhenpeng <zplin at psu.edu>
Date:   Wed Sep 8 03:40:59 2021 +0000

    ms/dccp: don't duplicate ccid when cloning dccp sock
    
    Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
    a UAF but reintroduced CVE-2017-6074.
    
    When the sock is cloned, two dccps_hc_tx_ccid will reference to the
    same ccid. So one can free the ccid object twice from two socks after
    cloning.
    
    This issue was found by "Hadar Manor" as well and assigned with
    CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
    the patch from Ubuntu to fix it.
    
    The patch prevents cloned socks from referencing the same ccid.
    
    Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...")
    Signed-off-by: Zhenpeng Lin <zplin at psu.edu>
    Signed-off-by: David S. Miller <davem at davemloft.net>
    
    https://jira.sw.ru/browse/PSBM-121326
    CVE-2020-16119: DCCP CCID structure use-after-free may lead to DoS or code execution
    
    (cherry picked from ms commit d9ea761fdd197351890418acd462c51f241014a7)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/dccp/minisocks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index c5c74a34d139..91e7a2202697 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
 		newdp->dccps_role	    = DCCP_ROLE_SERVER;
 		newdp->dccps_hc_rx_ackvec   = NULL;
 		newdp->dccps_service_list   = NULL;
+		newdp->dccps_hc_rx_ccid     = NULL;
+		newdp->dccps_hc_tx_ccid     = NULL;
 		newdp->dccps_service	    = dreq->dreq_service;
 		newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
 		newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;

More information about the Devel mailing list