diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 15:20:38 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-25 13:23:40 +0200 |
commit | 24c62aba579409ee500ff06e92b6f6a66add2e21 (patch) | |
tree | 0885c2eb88a5f61855c81ebc2c48e948ae2e6f29 | |
parent | 84ff9e626b0e68f22f5e04d8919ee2a874c472f8 (diff) | |
download | enea-kernel-cache-24c62aba579409ee500ff06e92b6f6a66add2e21.tar.gz |
packet: CVE-2017-6346
packet: fix races in fanout_add()
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=7babaac5d49ee7a88a5a324668dd13b575635d09
Change-Id: I67fda10f52f8224b4516be4293f738599121201d
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch | 80 |
2 files changed, 81 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 7901020..b381b25 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -28,4 +28,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch | |||
28 | #fixed in 4.1.49 | 28 | #fixed in 4.1.49 |
29 | patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch | 29 | patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch |
30 | patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch | 30 | patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch |
31 | patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch | ||
31 | 32 | ||
diff --git a/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch new file mode 100644 index 0000000..c2cdfc0 --- /dev/null +++ b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 7babaac5d49ee7a88a5a324668dd13b575635d09 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Tue, 14 Feb 2017 09:03:51 -0800 | ||
4 | Subject: [PATCH] packet: fix races in fanout_add() | ||
5 | |||
6 | [ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ] | ||
7 | |||
8 | Multiple threads can call fanout_add() at the same time. | ||
9 | |||
10 | We need to grab fanout_mutex earlier to avoid races that could | ||
11 | lead to one thread freeing po->rollover that was set by another thread. | ||
12 | |||
13 | Do the same in fanout_release(), for peace of mind, and to help us | ||
14 | finding lockdep issues earlier. | ||
15 | |||
16 | CVE: CVE-2017-6346 | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Fixes: dc99f600698d ("packet: Add fanout support.") | ||
20 | Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state") | ||
21 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
22 | Cc: Willem de Bruijn <willemb@google.com> | ||
23 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
24 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | ||
25 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
26 | --- | ||
27 | net/packet/af_packet.c | 26 ++++++++++++++------------ | ||
28 | 1 file changed, 14 insertions(+), 12 deletions(-) | ||
29 | |||
30 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c | ||
31 | index 4cd7e27..88cec95 100644 | ||
32 | --- a/net/packet/af_packet.c | ||
33 | +++ b/net/packet/af_packet.c | ||
34 | @@ -1447,13 +1447,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) | ||
35 | return -EINVAL; | ||
36 | } | ||
37 | |||
38 | + mutex_lock(&fanout_mutex); | ||
39 | + | ||
40 | + err = -EINVAL; | ||
41 | if (!po->running) | ||
42 | - return -EINVAL; | ||
43 | + goto out; | ||
44 | |||
45 | + err = -EALREADY; | ||
46 | if (po->fanout) | ||
47 | - return -EALREADY; | ||
48 | + goto out; | ||
49 | |||
50 | - mutex_lock(&fanout_mutex); | ||
51 | match = NULL; | ||
52 | list_for_each_entry(f, &fanout_list, list) { | ||
53 | if (f->id == id && | ||
54 | @@ -1509,17 +1512,16 @@ static void fanout_release(struct sock *sk) | ||
55 | struct packet_sock *po = pkt_sk(sk); | ||
56 | struct packet_fanout *f; | ||
57 | |||
58 | - f = po->fanout; | ||
59 | - if (!f) | ||
60 | - return; | ||
61 | - | ||
62 | mutex_lock(&fanout_mutex); | ||
63 | - po->fanout = NULL; | ||
64 | + f = po->fanout; | ||
65 | + if (f) { | ||
66 | + po->fanout = NULL; | ||
67 | |||
68 | - if (atomic_dec_and_test(&f->sk_ref)) { | ||
69 | - list_del(&f->list); | ||
70 | - dev_remove_pack(&f->prot_hook); | ||
71 | - kfree(f); | ||
72 | + if (atomic_dec_and_test(&f->sk_ref)) { | ||
73 | + list_del(&f->list); | ||
74 | + dev_remove_pack(&f->prot_hook); | ||
75 | + kfree(f); | ||
76 | + } | ||
77 | } | ||
78 | mutex_unlock(&fanout_mutex); | ||
79 | } | ||
80 | -- | ||