summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Wellving <andreas.wellving@enea.com>2019-07-10 10:34:19 +0200
committerAdrian Stratulat <adrian.stratulat@enea.com>2019-07-12 14:08:02 +0200
commit3250015618781f92395eed977f46421d9845c7db (patch)
tree55157886eea1eb033d8b71560356e334fde5f7f4
parent7f8ead2e22d6a65e5832b19d93771b5801bd0736 (diff)
downloadenea-kernel-cache-3250015618781f92395eed977f46421d9845c7db.tar.gz
net: CVE-2019-11815
net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). References: https://nvd.nist.gov/vuln/detail/CVE-2019-11815 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=a1aa69beac4d88dfb892a95ee04fe6f932803952 Change-Id: I066682d42aa9bcdc4019befae14c9930e8a34280 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r--patches/cve/4.9.x.scc3
-rw-r--r--patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch152
2 files changed, 155 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 3869cf7..8748db7 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -37,3 +37,6 @@ patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
37 37
38#CVEs fixed in 4.9.163: 38#CVEs fixed in 4.9.163:
39patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch 39patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
40
41#CVEs fixed in 4.9.169:
42patch CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
diff --git a/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
new file mode 100644
index 0000000..aba1d1c
--- /dev/null
+++ b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
@@ -0,0 +1,152 @@
1From a1aa69beac4d88dfb892a95ee04fe6f932803952 Mon Sep 17 00:00:00 2001
2From: Mao Wenan <maowenan@huawei.com>
3Date: Thu, 28 Mar 2019 17:10:56 +0800
4Subject: [PATCH] net: rds: force to destroy connection if t_sock is NULL in
5 rds_tcp_kill_sock().
6
7[ Upstream commit cb66ddd156203daefb8d71158036b27b0e2caf63 ]
8
9When it is to cleanup net namespace, rds_tcp_exit_net() will call
10rds_tcp_kill_sock(), if t_sock is NULL, it will not call
11rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
12connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
13net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
14and reference 'net' which has already been freed.
15
16In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
17sock->ops->connect, but if connect() is failed, it will call
18rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
19failed, rds_connect_worker() will try to reconnect all the time, so
20rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
21connections.
22
23Therefore, the condition !tc->t_sock is not needed if it is going to do
24cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
25NULL, and there is on other path to cancel cp_conn_w and free
26connection. So this patch is to fix this.
27
28rds_tcp_kill_sock():
29...
30if (net != c_net || !tc->t_sock)
31...
32Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
33
34==================================================================
35BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
36net/ipv4/af_inet.c:340
37Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
38
39CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
40Hardware name: linux,dummy-virt (DT)
41Workqueue: krdsd rds_connect_worker
42Call trace:
43 dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
44 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
45 __dump_stack lib/dump_stack.c:77 [inline]
46 dump_stack+0x120/0x188 lib/dump_stack.c:113
47 print_address_description+0x68/0x278 mm/kasan/report.c:253
48 kasan_report_error mm/kasan/report.c:351 [inline]
49 kasan_report+0x21c/0x348 mm/kasan/report.c:409
50 __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
51 inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
52 __sock_create+0x4f8/0x770 net/socket.c:1276
53 sock_create_kern+0x50/0x68 net/socket.c:1322
54 rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
55 rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
56 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
57 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
58 kthread+0x2f0/0x378 kernel/kthread.c:255
59 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
60
61Allocated by task 687:
62 save_stack mm/kasan/kasan.c:448 [inline]
63 set_track mm/kasan/kasan.c:460 [inline]
64 kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
65 kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
66 slab_post_alloc_hook mm/slab.h:444 [inline]
67 slab_alloc_node mm/slub.c:2705 [inline]
68 slab_alloc mm/slub.c:2713 [inline]
69 kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
70 kmem_cache_zalloc include/linux/slab.h:697 [inline]
71 net_alloc net/core/net_namespace.c:384 [inline]
72 copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
73 create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
74 unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
75 ksys_unshare+0x340/0x628 kernel/fork.c:2577
76 __do_sys_unshare kernel/fork.c:2645 [inline]
77 __se_sys_unshare kernel/fork.c:2643 [inline]
78 __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
79 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
80 invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
81 el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
82 el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
83 el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
84
85Freed by task 264:
86 save_stack mm/kasan/kasan.c:448 [inline]
87 set_track mm/kasan/kasan.c:460 [inline]
88 __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
89 kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
90 slab_free_hook mm/slub.c:1370 [inline]
91 slab_free_freelist_hook mm/slub.c:1397 [inline]
92 slab_free mm/slub.c:2952 [inline]
93 kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
94 net_free net/core/net_namespace.c:400 [inline]
95 net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
96 net_drop_ns net/core/net_namespace.c:406 [inline]
97 cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
98 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
99 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
100 kthread+0x2f0/0x378 kernel/kthread.c:255
101 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
102
103The buggy address belongs to the object at ffff8003496a3f80
104 which belongs to the cache net_namespace of size 7872
105The buggy address is located 1796 bytes inside of
106 7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
107The buggy address belongs to the page:
108page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
109index:0x0 compound_mapcount: 0
110flags: 0xffffe0000008100(slab|head)
111raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
112raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
113page dumped because: kasan: bad access detected
114
115Memory state around the buggy address:
116 ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
117 ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
118>ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
119 ^
120 ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
121 ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
122==================================================================
123
124CVE: CVE-2019-11815
125Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=a1aa69beac4d88dfb892a95ee04fe6f932803952]
126
127Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
128Reported-by: Hulk Robot <hulkci@huawei.com>
129Signed-off-by: Mao Wenan <maowenan@huawei.com>
130Signed-off-by: David S. Miller <davem@davemloft.net>
131Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
132Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
133---
134 net/rds/tcp.c | 2 +-
135 1 file changed, 1 insertion(+), 1 deletion(-)
136
137diff --git a/net/rds/tcp.c b/net/rds/tcp.c
138index d36effbf7614..2daba5316caa 100644
139--- a/net/rds/tcp.c
140+++ b/net/rds/tcp.c
141@@ -527,7 +527,7 @@ static void rds_tcp_kill_sock(struct net *net)
142 list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
143 struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
144
145- if (net != c_net || !tc->t_sock)
146+ if (net != c_net)
147 continue;
148 if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
149 list_move_tail(&tc->t_tcp_node, &tmp_list);
150--
1512.20.1
152