linux-intel: CVE-2017-11176

fix a use-after-free in sys_mq_notify() Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-11176 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-11-16 09:38:46 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-11-16 12:00:54 +0100
commit: cf3664b57f0dc010c27bce1103c89c22dc359641 (patch)
tree: d166550564e0e26315bf1580fa3bd6fede99a785
parent: 26ac9aaf231c3343983919bc5d9d9219261fe77f (diff)
download: meta-enea-bsp-x86-cf3664b57f0dc010c27bce1103c89c22dc359641.tar.gz
2 files changed, 56 insertions, 1 deletions
diff --git a/recipes-kernel/linux/linux-intel.inc b/recipes-kernel/linux/linux-intel.inc
index 733a329..84fbf77 100644
--- a/recipes-kernel/linux/linux-intel.inc
+++ b/recipes-kernel/linux/linux-intel.inc
@@ -1,9 +1,12 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-intel:"
 require common/recipes-kernel/linux/linux-intel_4.9.bb
 require recipes-kernel/linux/linux-deploy-kconfig.inc
 SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b"
 KENEABRANCH = "intel-4.9"
-SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta"
+SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
+                   file://CVE-2017-11176.patch \
+                 "
 KERNEL_FEATURES_append = " features/udev/udev.scc"
diff --git a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch
new file mode 100644
index 0000000..e5e1ad3
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch
@@ -0,0 +1,52 @@
+From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 9 Jul 2017 13:19:55 -0700
+Subject: mqueue: fix a use-after-free in sys_mq_notify()
+The retry logic for netlink_attachskb() inside sys_mq_notify()
+is nasty and vulnerable:
+1) The sock refcnt is already released when retry is needed
+2) The fd is controllable by user-space because we already
+   release the file refcnt
+so we when retry but the fd has been just closed by user-space
+during this small window, we end up calling netlink_detachskb()
+on the error path which releases the sock again, later when
+the user-space closes this socket a use-after-free could be
+triggered.
+Setting 'sock' to NULL here should be sufficient to fix it.
+CVE: CVE-2017-11176
+Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1]
+Reported-by: GeneBlue <geneblue.mail@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ipc/mqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index c9ff943..eb1391b 100644
+--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
+@@ -1270,8 +1270,10 @@ retry:
+ 
+                        timeo = MAX_SCHEDULE_TIMEOUT;
+                        ret = netlink_attachskb(sock, nc, &timeo, NULL);
+-                       if (ret == 1)
+                       if (ret == 1) {
+                               sock = NULL;
+                                goto retry;
+                       }
+                        if (ret) {
+                                sock = NULL;
+                                nc = NULL;
+-- 
+cgit v1.1
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-11-16 09:38:46 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-11-16 12:00:54 +0100
commit	cf3664b57f0dc010c27bce1103c89c22dc359641 (patch)
tree	d166550564e0e26315bf1580fa3bd6fede99a785
parent	26ac9aaf231c3343983919bc5d9d9219261fe77f (diff)
download	meta-enea-bsp-x86-cf3664b57f0dc010c27bce1103c89c22dc359641.tar.gz

diff --git a/recipes-kernel/linux/linux-intel.inc b/recipes-kernel/linux/linux-intel.inc index 733a329..84fbf77 100644 --- a/recipes-kernel/linux/linux-intel.inc +++ b/recipes-kernel/linux/linux-intel.inc
@@ -1,9 +1,12 @@
		1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux-intel:"
1	require common/recipes-kernel/linux/linux-intel_4.9.bb	2	require common/recipes-kernel/linux/linux-intel_4.9.bb
2	require recipes-kernel/linux/linux-deploy-kconfig.inc	3	require recipes-kernel/linux/linux-deploy-kconfig.inc
3		4
4	SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b"	5	SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b"
5	KENEABRANCH = "intel-4.9"	6	KENEABRANCH = "intel-4.9"
6	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta"	7	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
		8	file://CVE-2017-11176.patch \
		9	"
7		10
8	KERNEL_FEATURES_append = " features/udev/udev.scc"	11	KERNEL_FEATURES_append = " features/udev/udev.scc"
9		12


diff --git a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch new file mode 100644 index 0000000..e5e1ad3 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch
@@ -0,0 +1,52 @@
		1	From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001
		2	From: Cong Wang <xiyou.wangcong@gmail.com>
		3	Date: Sun, 9 Jul 2017 13:19:55 -0700
		4	Subject: mqueue: fix a use-after-free in sys_mq_notify()
		5
		6	The retry logic for netlink_attachskb() inside sys_mq_notify()
		7	is nasty and vulnerable:
		8
		9	1) The sock refcnt is already released when retry is needed
		10	2) The fd is controllable by user-space because we already
		11	release the file refcnt
		12
		13	so we when retry but the fd has been just closed by user-space
		14	during this small window, we end up calling netlink_detachskb()
		15	on the error path which releases the sock again, later when
		16	the user-space closes this socket a use-after-free could be
		17	triggered.
		18
		19	Setting 'sock' to NULL here should be sufficient to fix it.
		20	CVE: CVE-2017-11176
		21	Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1]
		22
		23	Reported-by: GeneBlue <geneblue.mail@gmail.com>
		24	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
		25	Cc: Andrew Morton <akpm@linux-foundation.org>
		26	Cc: Manfred Spraul <manfred@colorfullife.com>
		27	Cc: stable@kernel.org
		28	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		29	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		30	---
		31	ipc/mqueue.c \| 4 +++-
		32	1 file changed, 3 insertions(+), 1 deletion(-)
		33
		34	diff --git a/ipc/mqueue.c b/ipc/mqueue.c
		35	index c9ff943..eb1391b 100644
		36	--- a/ipc/mqueue.c
		37	+++ b/ipc/mqueue.c
		38	@@ -1270,8 +1270,10 @@ retry:
		39
		40	timeo = MAX_SCHEDULE_TIMEOUT;
		41	ret = netlink_attachskb(sock, nc, &timeo, NULL);
		42	- if (ret == 1)
		43	+ if (ret == 1) {
		44	+ sock = NULL;
		45	goto retry;
		46	+ }
		47	if (ret) {
		48	sock = NULL;
		49	nc = NULL;
		50	--
		51	cgit v1.1
		52