On Sat, Dec 02, 2017 at 04:20:40PM -0800, Guenter Roeck wrote: > On 12/01/2017 11:48 AM, Michal Kubecek wrote: > > On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote: > > > Hi, > > > > > > The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y > > > and older kernels. However, I confirmed that running the published POC > > > (see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4 > > > kernel. > > > > > > I confirmed that the following two patches fix the problem in v4.4.y. > > > Please consider applying them to v4.4.y (and possibly v3.18.y). > > > > > > fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump") > > > 1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash") > > > > > > My apologies for the noise if this is already under consideration. > > > > It's a bit too big hammer. As Nicolai Stange noticed when we were > > The hammer is just as big as the upstream hammer. Personally I prefer the > upstream patch; I don't see a reason to deviate from upstream just because > the upstream solution is more complex than necessary. Comparing that little patch with the combination of the two commits, I would say we have a very different idea what "as big as" means. :-) > > handling this for SLE12 (where fc9e50f5a5a4e would break kABI), it's > > I didn't know that this is even a concern for stable releases. Is there > some guideline that kABI changes should be avoided in stable releases ? Not to my knowledge, stable updates break kABI quite often. I just mentioned it to explain why we had stronger motivation to find another solution. Michal Kubecek