diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-11-14 07:52:31 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-11-14 10:01:31 +0100 |
commit | 1d249380d6e9614e09ba9a71793ab26e47116650 (patch) | |
tree | f9b8044b24c653e88678e587fa1ba99fa8fb9812 | |
parent | 0695cdbd10b0252be0e6e4a594c35f6be1b9cc63 (diff) | |
download | meta-enea-bsp-arm-1d249380d6e9614e09ba9a71793ab26e47116650.tar.gz |
linux-cavium: CVE-2017-11176
fix a use-after-free in sys_mq_notify()
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-11176
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch | 52 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch new file mode 100644 index 0000000..a6bc539 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Cong Wang <xiyou.wangcong@gmail.com> | ||
3 | Date: Sun, 9 Jul 2017 13:19:55 -0700 | ||
4 | Subject: mqueue: fix a use-after-free in sys_mq_notify() | ||
5 | |||
6 | The retry logic for netlink_attachskb() inside sys_mq_notify() | ||
7 | is nasty and vulnerable: | ||
8 | |||
9 | 1) The sock refcnt is already released when retry is needed | ||
10 | 2) The fd is controllable by user-space because we already | ||
11 | release the file refcnt | ||
12 | |||
13 | so we when retry but the fd has been just closed by user-space | ||
14 | during this small window, we end up calling netlink_detachskb() | ||
15 | on the error path which releases the sock again, later when | ||
16 | the user-space closes this socket a use-after-free could be | ||
17 | triggered. | ||
18 | |||
19 | Setting 'sock' to NULL here should be sufficient to fix it. | ||
20 | CVE: CVE-2017-11176 | ||
21 | Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1] | ||
22 | |||
23 | Reported-by: GeneBlue <geneblue.mail@gmail.com> | ||
24 | Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> | ||
25 | Cc: Andrew Morton <akpm@linux-foundation.org> | ||
26 | Cc: Manfred Spraul <manfred@colorfullife.com> | ||
27 | Cc: stable@kernel.org | ||
28 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | ipc/mqueue.c | 4 +++- | ||
32 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/ipc/mqueue.c b/ipc/mqueue.c | ||
35 | index c9ff943..eb1391b 100644 | ||
36 | --- a/ipc/mqueue.c | ||
37 | +++ b/ipc/mqueue.c | ||
38 | @@ -1270,8 +1270,10 @@ retry: | ||
39 | |||
40 | timeo = MAX_SCHEDULE_TIMEOUT; | ||
41 | ret = netlink_attachskb(sock, nc, &timeo, NULL); | ||
42 | - if (ret == 1) | ||
43 | + if (ret == 1) { | ||
44 | + sock = NULL; | ||
45 | goto retry; | ||
46 | + } | ||
47 | if (ret) { | ||
48 | sock = NULL; | ||
49 | nc = NULL; | ||
50 | -- | ||
51 | cgit v1.1 | ||
52 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 1c504fe..1758a30 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -39,6 +39,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
39 | file://CVE-2017-8831.patch \ | 39 | file://CVE-2017-8831.patch \ |
40 | file://CVE-2017-1000364.patch \ | 40 | file://CVE-2017-1000364.patch \ |
41 | file://0001-openvswitch-fixed-kernel-crash.patch \ | 41 | file://0001-openvswitch-fixed-kernel-crash.patch \ |
42 | file://CVE-2017-11176.patch \ | ||
42 | " | 43 | " |
43 | 44 | ||
44 | LINUX_KERNEL_TYPE = "tiny" | 45 | LINUX_KERNEL_TYPE = "tiny" |