diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 15:05:13 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-10-02 09:41:25 +0200 |
commit | b367b96333d52663a3c2a9274a8ce96226fa4bd6 (patch) | |
tree | 67cc437fdbae58378f2dd64c8cef0c9c5f8bc8de | |
parent | e8a615a1c163ae332bdc313cd92d49b13308905e (diff) | |
download | meta-enea-bsp-arm-b367b96333d52663a3c2a9274a8ce96226fa4bd6.tar.gz |
linux-cavium: CVE-2017-6353
Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986)
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6353
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch | 73 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch new file mode 100644 index 0000000..3ff4dc7 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 35b9d61ea910c1ebd4652b32cc7d713f6689b4f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
3 | Date: Thu, 23 Feb 2017 09:31:18 -0300 | ||
4 | Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping | ||
5 | on it | ||
6 | |||
7 | commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream. | ||
8 | |||
9 | commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") | ||
10 | attempted to avoid a BUG_ON call when the association being used for a | ||
11 | sendmsg() is blocked waiting for more sndbuf and another thread did a | ||
12 | peeloff operation on such asoc, moving it to another socket. | ||
13 | |||
14 | As Ben Hutchings noticed, then in such case it would return without | ||
15 | locking back the socket and would cause two unlocks in a row. | ||
16 | |||
17 | Further analysis also revealed that it could allow a double free if the | ||
18 | application managed to peeloff the asoc that is created during the | ||
19 | sendmsg call, because then sctp_sendmsg() would try to free the asoc | ||
20 | that was created only for that call. | ||
21 | |||
22 | This patch takes another approach. It will deny the peeloff operation | ||
23 | if there is a thread sleeping on the asoc, so this situation doesn't | ||
24 | exist anymore. This avoids the issues described above and also honors | ||
25 | the syscalls that are already being handled (it can be multiple sendmsg | ||
26 | calls). | ||
27 | |||
28 | Joint work with Xin Long. | ||
29 | |||
30 | CVE: CVE-2017-6353 | ||
31 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
32 | |||
33 | Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") | ||
34 | Cc: Alexander Popov <alex.popov@linux.com> | ||
35 | Cc: Ben Hutchings <ben@decadent.org.uk> | ||
36 | Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
37 | Signed-off-by: Xin Long <lucien.xin@gmail.com> | ||
38 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
39 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
40 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
41 | --- | ||
42 | net/sctp/socket.c | 8 ++++++-- | ||
43 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
44 | |||
45 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c | ||
46 | index 6cbe5bd..6734420 100644 | ||
47 | --- a/net/sctp/socket.c | ||
48 | +++ b/net/sctp/socket.c | ||
49 | @@ -4735,6 +4735,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) | ||
50 | if (!asoc) | ||
51 | return -EINVAL; | ||
52 | |||
53 | + /* If there is a thread waiting on more sndbuf space for | ||
54 | + * sending on this asoc, it cannot be peeled. | ||
55 | + */ | ||
56 | + if (waitqueue_active(&asoc->wait)) | ||
57 | + return -EBUSY; | ||
58 | + | ||
59 | /* An association cannot be branched off from an already peeled-off | ||
60 | * socket, nor is this supported for tcp style sockets. | ||
61 | */ | ||
62 | @@ -7427,8 +7433,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, | ||
63 | */ | ||
64 | release_sock(sk); | ||
65 | current_timeo = schedule_timeout(current_timeo); | ||
66 | - if (sk != asoc->base.sk) | ||
67 | - goto do_error; | ||
68 | lock_sock(sk); | ||
69 | |||
70 | *timeo_p = current_timeo; | ||
71 | -- | ||
72 | 1.9.1 | ||
73 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 13a4bda..39ba2e7 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -25,6 +25,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
25 | file://CVE-2017-6214.patch \ | 25 | file://CVE-2017-6214.patch \ |
26 | file://CVE-2017-6345.patch \ | 26 | file://CVE-2017-6345.patch \ |
27 | file://CVE-2017-6348.patch \ | 27 | file://CVE-2017-6348.patch \ |
28 | file://CVE-2017-6353.patch \ | ||
28 | file://CVE-2017-7487.patch \ | 29 | file://CVE-2017-7487.patch \ |
29 | file://CVE-2017-7618.patch \ | 30 | file://CVE-2017-7618.patch \ |
30 | file://CVE-2017-7645.patch \ | 31 | file://CVE-2017-7645.patch \ |