diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 15:05:13 +0200 |
|---|---|---|
| committer | Martin Borg <martin.borg@enea.com> | 2017-10-02 09:41:25 +0200 |
| commit | b367b96333d52663a3c2a9274a8ce96226fa4bd6 (patch) | |
| tree | 67cc437fdbae58378f2dd64c8cef0c9c5f8bc8de | |
| parent | e8a615a1c163ae332bdc313cd92d49b13308905e (diff) | |
| download | meta-enea-bsp-arm-b367b96333d52663a3c2a9274a8ce96226fa4bd6.tar.gz | |
linux-cavium: CVE-2017-6353
Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986)
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6353
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
| -rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch | 73 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch new file mode 100644 index 0000000..3ff4dc7 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6353.patch | |||
| @@ -0,0 +1,73 @@ | |||
| 1 | From 35b9d61ea910c1ebd4652b32cc7d713f6689b4f4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
| 3 | Date: Thu, 23 Feb 2017 09:31:18 -0300 | ||
| 4 | Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping | ||
| 5 | on it | ||
| 6 | |||
| 7 | commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream. | ||
| 8 | |||
| 9 | commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") | ||
| 10 | attempted to avoid a BUG_ON call when the association being used for a | ||
| 11 | sendmsg() is blocked waiting for more sndbuf and another thread did a | ||
| 12 | peeloff operation on such asoc, moving it to another socket. | ||
| 13 | |||
| 14 | As Ben Hutchings noticed, then in such case it would return without | ||
| 15 | locking back the socket and would cause two unlocks in a row. | ||
| 16 | |||
| 17 | Further analysis also revealed that it could allow a double free if the | ||
| 18 | application managed to peeloff the asoc that is created during the | ||
| 19 | sendmsg call, because then sctp_sendmsg() would try to free the asoc | ||
| 20 | that was created only for that call. | ||
| 21 | |||
| 22 | This patch takes another approach. It will deny the peeloff operation | ||
| 23 | if there is a thread sleeping on the asoc, so this situation doesn't | ||
| 24 | exist anymore. This avoids the issues described above and also honors | ||
| 25 | the syscalls that are already being handled (it can be multiple sendmsg | ||
| 26 | calls). | ||
| 27 | |||
| 28 | Joint work with Xin Long. | ||
| 29 | |||
| 30 | CVE: CVE-2017-6353 | ||
| 31 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
| 32 | |||
| 33 | Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") | ||
| 34 | Cc: Alexander Popov <alex.popov@linux.com> | ||
| 35 | Cc: Ben Hutchings <ben@decadent.org.uk> | ||
| 36 | Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
| 37 | Signed-off-by: Xin Long <lucien.xin@gmail.com> | ||
| 38 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 39 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 40 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 41 | --- | ||
| 42 | net/sctp/socket.c | 8 ++++++-- | ||
| 43 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
| 44 | |||
| 45 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c | ||
| 46 | index 6cbe5bd..6734420 100644 | ||
| 47 | --- a/net/sctp/socket.c | ||
| 48 | +++ b/net/sctp/socket.c | ||
| 49 | @@ -4735,6 +4735,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) | ||
| 50 | if (!asoc) | ||
| 51 | return -EINVAL; | ||
| 52 | |||
| 53 | + /* If there is a thread waiting on more sndbuf space for | ||
| 54 | + * sending on this asoc, it cannot be peeled. | ||
| 55 | + */ | ||
| 56 | + if (waitqueue_active(&asoc->wait)) | ||
| 57 | + return -EBUSY; | ||
| 58 | + | ||
| 59 | /* An association cannot be branched off from an already peeled-off | ||
| 60 | * socket, nor is this supported for tcp style sockets. | ||
| 61 | */ | ||
| 62 | @@ -7427,8 +7433,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, | ||
| 63 | */ | ||
| 64 | release_sock(sk); | ||
| 65 | current_timeo = schedule_timeout(current_timeo); | ||
| 66 | - if (sk != asoc->base.sk) | ||
| 67 | - goto do_error; | ||
| 68 | lock_sock(sk); | ||
| 69 | |||
| 70 | *timeo_p = current_timeo; | ||
| 71 | -- | ||
| 72 | 1.9.1 | ||
| 73 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 13a4bda..39ba2e7 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
| @@ -25,6 +25,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
| 25 | file://CVE-2017-6214.patch \ | 25 | file://CVE-2017-6214.patch \ |
| 26 | file://CVE-2017-6345.patch \ | 26 | file://CVE-2017-6345.patch \ |
| 27 | file://CVE-2017-6348.patch \ | 27 | file://CVE-2017-6348.patch \ |
| 28 | file://CVE-2017-6353.patch \ | ||
| 28 | file://CVE-2017-7487.patch \ | 29 | file://CVE-2017-7487.patch \ |
| 29 | file://CVE-2017-7618.patch \ | 30 | file://CVE-2017-7618.patch \ |
| 30 | file://CVE-2017-7645.patch \ | 31 | file://CVE-2017-7645.patch \ |