packet: CVE-2017-6346

packet: fix races in fanout_add() References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=7babaac5d49ee7a88a5a324668dd13b575635d09 Change-Id: I67fda10f52f8224b4516be4293f738599121201d Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:20:38 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:23:40 +0200
commit: 24c62aba579409ee500ff06e92b6f6a66add2e21 (patch)
tree: 0885c2eb88a5f61855c81ebc2c48e948ae2e6f29
parent: 84ff9e626b0e68f22f5e04d8919ee2a874c472f8 (diff)
download: enea-kernel-cache-24c62aba579409ee500ff06e92b6f6a66add2e21.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 7901020..b381b25 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -28,4 +28,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
 #fixed in 4.1.49
 patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
 patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch
+patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch
diff --git a/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch
new file mode 100644
index 0000000..c2cdfc0
--- /dev/null
+++ b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch
@@ -0,0 +1,80 @@
+From 7babaac5d49ee7a88a5a324668dd13b575635d09 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 14 Feb 2017 09:03:51 -0800
+Subject: [PATCH] packet: fix races in fanout_add()
+[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ]
+Multiple threads can call fanout_add() at the same time.
+We need to grab fanout_mutex earlier to avoid races that could
+lead to one thread freeing po->rollover that was set by another thread.
+Do the same in fanout_release(), for peace of mind, and to help us
+finding lockdep issues earlier.
+CVE: CVE-2017-6346
+Upstream-Status: Backport  
+Fixes: dc99f600698d ("packet: Add fanout support.")
+Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/packet/af_packet.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 4cd7e27..88cec95 100644
+--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
+@@ -1447,13 +1447,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
+                return -EINVAL;
+        }
+ 
+       mutex_lock(&fanout_mutex);
+
+       err = -EINVAL;
+        if (!po->running)
+-               return -EINVAL;
+               goto out;
+ 
+       err = -EALREADY;
+        if (po->fanout)
+-               return -EALREADY;
+               goto out;
+ 
+-       mutex_lock(&fanout_mutex);
+        match = NULL;
+        list_for_each_entry(f, &fanout_list, list) {
+                if (f->id == id &&
+@@ -1509,17 +1512,16 @@ static void fanout_release(struct sock *sk)
+        struct packet_sock *po = pkt_sk(sk);
+        struct packet_fanout *f;
+ 
+-       f = po->fanout;
+-       if (!f)
+-               return;
+-
+        mutex_lock(&fanout_mutex);
+-       po->fanout = NULL;
+       f = po->fanout;
+       if (f) {
+               po->fanout = NULL;
+ 
+-       if (atomic_dec_and_test(&f->sk_ref)) {
+-               list_del(&f->list);
+-               dev_remove_pack(&f->prot_hook);
+-               kfree(f);
+               if (atomic_dec_and_test(&f->sk_ref)) {
+                       list_del(&f->list);
+                       dev_remove_pack(&f->prot_hook);
+                       kfree(f);
+               }
+        }
+        mutex_unlock(&fanout_mutex);
+ }
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:20:38 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:23:40 +0200
commit	24c62aba579409ee500ff06e92b6f6a66add2e21 (patch)
tree	0885c2eb88a5f61855c81ebc2c48e948ae2e6f29
parent	84ff9e626b0e68f22f5e04d8919ee2a874c472f8 (diff)
download	enea-kernel-cache-24c62aba579409ee500ff06e92b6f6a66add2e21.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 7901020..b381b25 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -28,4 +28,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
28	#fixed in 4.1.49	28	#fixed in 4.1.49
29	patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch	29	patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
30	patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch	30	patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch
		31	patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch
31		32


diff --git a/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch new file mode 100644 index 0000000..c2cdfc0 --- /dev/null +++ b/patches/cve/CVE-2017-6346-packet-fix-races-in-fanout_add.patch
@@ -0,0 +1,80 @@
		1	From 7babaac5d49ee7a88a5a324668dd13b575635d09 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Tue, 14 Feb 2017 09:03:51 -0800
		4	Subject: [PATCH] packet: fix races in fanout_add()
		5
		6	[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ]
		7
		8	Multiple threads can call fanout_add() at the same time.
		9
		10	We need to grab fanout_mutex earlier to avoid races that could
		11	lead to one thread freeing po->rollover that was set by another thread.
		12
		13	Do the same in fanout_release(), for peace of mind, and to help us
		14	finding lockdep issues earlier.
		15
		16	CVE: CVE-2017-6346
		17	Upstream-Status: Backport
		18
		19	Fixes: dc99f600698d ("packet: Add fanout support.")
		20	Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
		21	Signed-off-by: Eric Dumazet <edumazet@google.com>
		22	Cc: Willem de Bruijn <willemb@google.com>
		23	Signed-off-by: David S. Miller <davem@davemloft.net>
		24	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		26	---
		27	net/packet/af_packet.c \| 26 ++++++++++++++------------
		28	1 file changed, 14 insertions(+), 12 deletions(-)
		29
		30	diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
		31	index 4cd7e27..88cec95 100644
		32	--- a/net/packet/af_packet.c
		33	+++ b/net/packet/af_packet.c
		34	@@ -1447,13 +1447,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
		35	return -EINVAL;
		36	}
		37
		38	+ mutex_lock(&fanout_mutex);
		39	+
		40	+ err = -EINVAL;
		41	if (!po->running)
		42	- return -EINVAL;
		43	+ goto out;
		44
		45	+ err = -EALREADY;
		46	if (po->fanout)
		47	- return -EALREADY;
		48	+ goto out;
		49
		50	- mutex_lock(&fanout_mutex);
		51	match = NULL;
		52	list_for_each_entry(f, &fanout_list, list) {
		53	if (f->id == id &&
		54	@@ -1509,17 +1512,16 @@ static void fanout_release(struct sock *sk)
		55	struct packet_sock *po = pkt_sk(sk);
		56	struct packet_fanout *f;
		57
		58	- f = po->fanout;
		59	- if (!f)
		60	- return;
		61	-
		62	mutex_lock(&fanout_mutex);
		63	- po->fanout = NULL;
		64	+ f = po->fanout;
		65	+ if (f) {
		66	+ po->fanout = NULL;
		67
		68	- if (atomic_dec_and_test(&f->sk_ref)) {
		69	- list_del(&f->list);
		70	- dev_remove_pack(&f->prot_hook);
		71	- kfree(f);
		72	+ if (atomic_dec_and_test(&f->sk_ref)) {
		73	+ list_del(&f->list);
		74	+ dev_remove_pack(&f->prot_hook);
		75	+ kfree(f);
		76	+ }
		77	}
		78	mutex_unlock(&fanout_mutex);
		79	}
		80	--