From: Hannes Frederic Sowa <han...@stressinduktion.org>
Date: Mon, 14 Dec 2015 22:03:39 +0100
> 郭永刚 reported that one could simply crash the kernel as root by
> using a simple program:
>
> int socket_fd;
> struct sockaddr_in addr;
> addr.sin_port = 0;
> addr.sin_addr.s_addr = INADDR_ANY;
> addr.sin_family = 10;
>
> socket_fd = socket(10,3,0x40000000);
> connect(socket_fd , &addr,16);
>
> AF_INET, AF_INET6 sockets actually only support 8-bit protocol
> identifiers. inet_sock's skc_protocol field thus is sized accordingly,
> thus larger protocol identifiers simply cut off the higher bits and
> store a zero in the protocol fields.
>
> This could lead to e.g. NULL function pointer because as a result of
> the cut off inet_num is zero and we call down to inet_autobind, which
> is NULL for raw sockets.
>
> kernel: Call Trace:
> kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
> kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
> kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
> kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
> kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
> kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
> kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
>
> I found no particular commit which introduced this problem.
>
> CVE: CVE-2015-8543
> Cc: Cong Wang <cw...@twopensource.com>
> Reported-by: 郭永刚 <guoyongg...@360.cn>
> Signed-off-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Applied and queued up for -stable, thanks.
N�����r��y����b�X��ǧv�^�){.n�+���z�^�)����w*�jg���������ݢj/���z�ޖ��2�ޙ����&�)ߡ�a������G���h���j:+v���w��٥
