packet: CVE-2017-1000111

packet: fix tp_reserve race in packet_set_ring

References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=b7761b0cd80d832e40a46ec0078ab02596dbc350

Change-Id: Ie32504e8ed6d2aefe350f9e501dca7236c3085ed
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 56 insertions, 0 deletions

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 60a7c67..6386a9b 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -19,3 +19,6 @@ patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
 #fixed in 4.1.43
 patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
 
+#fixed in 4.1.44
+patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+
diff --git a/patches/cve/CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch b/patches/cve/CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
new file mode 100644
index 0000000..6e3f5a4
--- /dev/null
+++ b/patches/cve/CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
@@ -0,0 +1,53 @@
+From 79373d4f60b9167bb68ce2c7d8decc8c3b66cc43 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Wed, 17 Oct 2018 12:38:53 +0200
+Subject: [PATCH] packet: fix tp_reserve race in packet_set_ring
+
+[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ]
+
+Updates to tp_reserve can race with reads of the field in
+packet_set_ring. Avoid this by holding the socket lock during
+updates in setsockopt PACKET_RESERVE.
+
+This bug was discovered by syzkaller.
+
+CVE: CVE-2017-1000111
+Upstream-Status: Backport
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 7c1054d..7bd5e7f 100644
+@@ -3365,12 +3373,17 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 
+                if (optlen != sizeof(val))
+                        return -EINVAL;
+-               if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-                       return -EBUSY;
+                if (copy_from_user(&val, optval, sizeof(val)))
+                        return -EFAULT;
+-               po->tp_reserve = val;
+-               return 0;
++               lock_sock(sk);
++               if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++                       ret = -EBUSY;
++               } else {
++                       po->tp_reserve = val;
++                       ret = 0;
++               }
++               release_sock(sk);
++               return ret;
+        }
+        case PACKET_LOSS:
+        {
+--- 
+
+