--- /dev/null
+tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch
+wait_task_stopped-check-p-exit_state-instead-of-task_traced.patch
--- /dev/null
+From 96a2d41a3e495734b63bff4e5dd0112741b93b38 Mon Sep 17 00:00:00 2001
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Wed, 14 Nov 2007 15:47:18 -0800
+Subject: TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.
+
+NULL ptr can be returned from tcp_write_queue_head to cached_skb
+and then assigned to skb if packets_out was zero. Without this,
+system is vulnerable to a carefully crafted ACKs which obviously
+is remotely triggerable.
+
+Besides, there's very little that needs to be done in sacktag
+if there weren't any packets outstanding, just skipping the rest
+doesn't hurt.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/ipv4/tcp_input.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1012,6 +1012,9 @@ tcp_sacktag_write_queue(struct sock *sk,
+ if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
+ return 0;
+
++ if (!tp->packets_out)
++ goto out;
++
+ /* SACK fastpath:
+ * if the only SACK change is the increase of the end_seq of
+ * the first block then only apply that SACK block
+@@ -1280,6 +1283,8 @@ tcp_sacktag_write_queue(struct sock *sk,
+ (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
+ tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0);
+
++out:
++
+ #if FASTRETRANS_DEBUG > 0
+ BUG_TRAP((int)tp->sacked_out >= 0);
+ BUG_TRAP((int)tp->lost_out >= 0);
--- /dev/null
+From a3474224e6a01924be40a8255636ea5522c1023a Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 13 Nov 2007 22:11:50 -0800
+Subject: wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
+
+From: Roland McGrath <roland@redhat.com>
+
+patch a3474224e6a01924be40a8255636ea5522c1023a in mainline
+
+The original meaning of the old test (p->state > TASK_STOPPED) was
+"not dead", since it was before TASK_TRACED existed and before the
+state/exit_state split. It was a wrong correction in commit
+14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
+TASK_TRACED instead. It should have been changed when TASK_TRACED
+was introducted and again when exit_state was introduced.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Cc: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Alexey Dobriyan <adobriyan@sw.ru>
+Cc: Kees Cook <kees@ubuntu.com>
+Acked-by: Scott James Remnant <scott@ubuntu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1362,8 +1362,7 @@ static int wait_task_stopped(struct task
+ int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
+
+ exit_code = p->exit_code;
+- if (unlikely(!exit_code) ||
+- unlikely(p->state & TASK_TRACED))
++ if (unlikely(!exit_code) || unlikely(p->exit_state))
+ goto bail_ref;
+ return wait_noreap_copyout(p, pid, uid,
+ why, (exit_code << 8) | 0x7f,
projects / thirdparty / kernel / stable-queue.git / commitdiff
