mbox series

[5.15,0/8] ax25: fixes for CVE-2022-1199/CVE-2022-1204/CVE-2022-1205

Message ID 20220415161422.1016735-1-ovidiu.panait@windriver.com
Headers show
Series ax25: fixes for CVE-2022-1199/CVE-2022-1204/CVE-2022-1205 | expand

Message

Ovidiu Panait April 15, 2022, 4:14 p.m. UTC
CVE-2022-1199
--------------
Reference: https://www.openwall.com/lists/oss-security/2022/04/02/5

Upstream fixes:
[1] https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809
[2] https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10
[3] https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac

Commits [1] and [3] are already present in 5.15-stable, this patchset includes
the backport for [2].

CVE-2022-1204
-------------
Reference: https://www.openwall.com/lists/oss-security/2022/04/02/2

Upstream fixes:
https://github.com/torvalds/linux/commit/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b
https://github.com/torvalds/linux/commit/87563a043cef044fed5db7967a75741cc16ad2b1
https://github.com/torvalds/linux/commit/feef318c855a361a1eccd880f33e88c460eb63b4
https://github.com/torvalds/linux/commit/9fd75b66b8f68498454d685dc4ba13192ae069b0
https://github.com/torvalds/linux/commit/5352a761308397a0e6250fdc629bb3f615b94747

CVE-2022-1205
-------------
Reference: https://www.openwall.com/lists/oss-security/2022/04/02/4

Upstream fixes:
https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009
https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0

Minor contextual adjustments were done for all backports and also
dev_put_track()/dev_hold_track() calls were replaced with dev_put()/dev_hold().

Duoming Zhou (8):
  ax25: add refcount in ax25_dev to avoid UAF bugs
  ax25: fix reference count leaks of ax25_dev
  ax25: fix UAF bugs of net_device caused by rebinding operation
  ax25: Fix refcount leaks caused by ax25_cb_del()
  ax25: fix UAF bug in ax25_send_control()
  ax25: fix NPD bug in ax25_disconnect
  ax25: Fix NULL pointer dereferences in ax25 timers
  ax25: Fix UAF bugs in ax25 timers

 include/net/ax25.h    | 12 ++++++++++++
 net/ax25/af_ax25.c    | 38 ++++++++++++++++++++++++++++++--------
 net/ax25/ax25_dev.c   | 28 +++++++++++++++++++++++-----
 net/ax25/ax25_route.c | 13 +++++++++++--
 net/ax25/ax25_subr.c  | 20 ++++++++++++++------
 5 files changed, 90 insertions(+), 21 deletions(-)