On Sat, Dec 02, 2017 at 04:20:40PM -0800, Guenter Roeck wrote:

On 12/01/2017 11:48 AM, Michal Kubecek wrote:

quoted

On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote:

quoted

Hi,

The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y
and older kernels. However, I confirmed that running the published POC
(see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4
kernel.

I confirmed that the following two patches fix the problem in v4.4.y.
Please consider applying them to v4.4.y (and possibly v3.18.y).

fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump")
1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash")

My apologies for the noise if this is already under consideration.

It's a bit too big hammer. As Nicolai Stange noticed when we were

The hammer is just as big as the upstream hammer. Personally I prefer the
upstream patch; I don't see a reason to deviate from upstream just because
the upstream solution is more complex than necessary.

Comparing that little patch with the combination of the two commits,
I would say we have a very different idea what "as big as" means. :-)

quoted

handling this for SLE12 (where fc9e50f5a5a4e would break kABI), it's

I didn't know that this is even a concern for stable releases. Is there
some guideline that kABI changes should be avoided in stable releases ?

Not to my knowledge, stable updates break kABI quite often. I just
mentioned it to explain why we had stronger motivation to find another
solution.

Michal Kubecek