On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote: > Hi, > > The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y > and older kernels. However, I confirmed that running the published POC > (see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4 > kernel. > > I confirmed that the following two patches fix the problem in v4.4.y. > Please consider applying them to v4.4.y (and possibly v3.18.y). > > fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump") > 1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash") > > My apologies for the noise if this is already under consideration. Ah, thanks for this, I had tried this a few times, and asked around, but missed that just adding the first patch here would solve the issue. Both are now queued up, thanks for bringing this up again. greg k-h