<div dir="auto">Acked-by: Sultan Alsawaf <<a href="mailto:sultan.alsawaf@canonical.com">sultan.alsawaf@canonical.com</a>></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 9, 2019, 11:00 AM Tyler Hicks <<a href="mailto:tyhicks@canonical.com">tyhicks@canonical.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">BugLink: <a href="https://launchpad.net/bugs/1847478" rel="noreferrer noreferrer" target="_blank">https://launchpad.net/bugs/1847478</a><br>
<br>
[Impact]<br>
<br>
An unprivileged local attacker could cause a denial of service, or<br>
possibly execute arbitrary code due to an ipv6 regression.<br>
<br>
[Test Case]<br>
<br>
An unpatched system will crash with the following command:<br>
<br>
$ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set<br>
dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table<br>
main suppress_prefixlength 0 && ping -f 1234::1'<br>
<br>
[Regression Potential]<br>
<br>
Low. The change could theoretically introduce a memory leak but that<br>
would still be an improvement over immediate loss of system<br>
availability.<br>
<br>
<br>
Clean cherry pick. Build logs are clean. I've successfully tested with<br>
the one-liner in the [Test Case]. I did not run the newly added net<br>
selftest since it is the same as the one-liner.<br>
<br>
Tyler<br>
<br>
Jason A. Donenfeld (1):<br>
ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule<br>
<br>
net/ipv6/fib6_rules.c | 3 ++-<br>
tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-<br>
2 files changed, 18 insertions(+), 2 deletions(-)<br>
<br>
-- <br>
2.17.1<br>
<br>
<br>
-- <br>
kernel-team mailing list<br>
<a href="mailto:kernel-team@lists.ubuntu.com" target="_blank" rel="noreferrer">kernel-team@lists.ubuntu.com</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/kernel-team" rel="noreferrer noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/kernel-team</a><br>
</blockquote></div>