On Sat, Dec 02, 2017 at 04:20:40PM -0800, Guenter Roeck wrote: > On 12/01/2017 11:48 AM, Michal Kubecek wrote: > > On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote: > > > Hi, > > > > > > The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y > > > and older kernels. However, I confirmed that running the published POC > > > (see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4 > > > kernel. > > > > > > I confirmed that the following two patches fix the problem in v4.4.y. > > > Please consider applying them to v4.4.y (and possibly v3.18.y). > > > > > > fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump") > > > 1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash") > > > > > > My apologies for the noise if this is already under consideration. > > > > It's a bit too big hammer. As Nicolai Stange noticed when we were > > The hammer is just as big as the upstream hammer. Personally I prefer the > upstream patch; I don't see a reason to deviate from upstream just because > the upstream solution is more complex than necessary. > > > handling this for SLE12 (where fc9e50f5a5a4e would break kABI), it's > > I didn't know that this is even a concern for stable releases. Is there > some guideline that kABI changes should be avoided in stable releases ? Nope, for now I don't care about kABI changes in stable releases. I'd almost always prefer to take the upstream patches exactly as-is. thanks, greg k-h