From 33a5b3ed6e40e55be41742dc127aaf2a4cd399dd Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jeremy@jcline.org>
Date: Dec 12 2017 18:44:04 +0000
Subject: Fix CVE-2017-8824 (rhbz 1519591 1520764)


---

diff --git a/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
new file mode 100644
index 0000000..192e435
--- /dev/null
+++ b/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
@@ -0,0 +1,43 @@
+From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
+Message-Id: <69c64866ce072dea1d1e59a0d61e0f66c0dffb76.1513103764.git.jeremy@jcline.org>
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06a..9d43c1f40274 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct inet_sock *inet = inet_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	int err = 0;
+ 	const int old_state = sk->sk_state;
+ 
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
+ 		sk->sk_err = ECONNRESET;
+ 
+ 	dccp_clear_xmit_timers(sk);
++	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.14.3
+
diff --git a/kernel.spec b/kernel.spec
index 5b51e73..e7fd007 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -626,8 +626,8 @@ Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch
 
 # 500 - Temp fixes/CVEs etc
 
-# rhbz 1498016 1498017
-#Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch
+# rbhz 1519591 1520764
+Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@@ -2207,6 +2207,9 @@ fi
 #
 #
 %changelog
+* Tue Dec 12 2017 Jeremy Cline <jeremy@jcline.org>
+- Fix CVE-2017-8824 (rhbz 1519591 1520764)
+
 * Mon Dec 11 2017 Jeremy Cline <jeremy@jcline.org>
 - Re-fix USB null pointer dereference on ThinkPad X1 (rhbz 1462175)