123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 |
- From: Matthias Schiffer <mschiffer@universe-factory.net>
- Date: Tue, 11 Oct 2016 00:46:56 +0200
- Subject: kernel: add fix for CVE-2016-7117
- diff --git a/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch
- new file mode 100644
- index 0000000..98da375
- --- /dev/null
- +++ b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch
- @@ -0,0 +1,95 @@
- +From cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b Mon Sep 17 00:00:00 2001
- +Message-Id: <cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b.1476139573.git.mschiffer@universe-factory.net>
- +From: Arnaldo Carvalho de Melo <acme@redhat.com>
- +Date: Mon, 14 Mar 2016 09:56:35 -0300
- +Subject: [PATCH] net: Fix use after free in the recvmmsg exit path
- +
- +[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ]
- +
- +The syzkaller fuzzer hit the following use-after-free:
- +
- + Call Trace:
- + [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
- + [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
- + [< inline >] SYSC_recvmmsg net/socket.c:2281
- + [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
- + [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
- + arch/x86/entry/entry_64.S:185
- +
- +And, as Dmitry rightly assessed, that is because we can drop the
- +reference and then touch it when the underlying recvmsg calls return
- +some packets and then hit an error, which will make recvmmsg to set
- +sock->sk->sk_err, oops, fix it.
- +
- +Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
- +Cc: Alexander Potapenko <glider@google.com>
- +Cc: Eric Dumazet <edumazet@google.com>
- +Cc: Kostya Serebryany <kcc@google.com>
- +Cc: Sasha Levin <sasha.levin@oracle.com>
- +Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
- +http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
- +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
- +Signed-off-by: David S. Miller <davem@davemloft.net>
- +Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
- +---
- + net/socket.c | 38 +++++++++++++++++++-------------------
- + 1 file changed, 19 insertions(+), 19 deletions(-)
- +
- +diff --git a/net/socket.c b/net/socket.c
- +index 02fc7c8..7f61789 100644
- +--- a/net/socket.c
- ++++ b/net/socket.c
- +@@ -2410,31 +2410,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- + break;
- + }
- +
- +-out_put:
- +- fput_light(sock->file, fput_needed);
- +-
- + if (err == 0)
- +- return datagrams;
- ++ goto out_put;
- +
- +- if (datagrams != 0) {
- ++ if (datagrams == 0) {
- ++ datagrams = err;
- ++ goto out_put;
- ++ }
- ++
- ++ /*
- ++ * We may return less entries than requested (vlen) if the
- ++ * sock is non block and there aren't enough datagrams...
- ++ */
- ++ if (err != -EAGAIN) {
- + /*
- +- * We may return less entries than requested (vlen) if the
- +- * sock is non block and there aren't enough datagrams...
- ++ * ... or if recvmsg returns an error after we
- ++ * received some datagrams, where we record the
- ++ * error to return on the next call or if the
- ++ * app asks about it using getsockopt(SO_ERROR).
- + */
- +- if (err != -EAGAIN) {
- +- /*
- +- * ... or if recvmsg returns an error after we
- +- * received some datagrams, where we record the
- +- * error to return on the next call or if the
- +- * app asks about it using getsockopt(SO_ERROR).
- +- */
- +- sock->sk->sk_err = -err;
- +- }
- +-
- +- return datagrams;
- ++ sock->sk->sk_err = -err;
- + }
- ++out_put:
- ++ fput_light(sock->file, fput_needed);
- +
- +- return err;
- ++ return datagrams;
- + }
- +
- + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
- +--
- +2.10.0
- +
|