diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-11-16 09:38:46 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-11-16 12:00:54 +0100 |
commit | cf3664b57f0dc010c27bce1103c89c22dc359641 (patch) | |
tree | d166550564e0e26315bf1580fa3bd6fede99a785 /recipes-kernel | |
parent | 26ac9aaf231c3343983919bc5d9d9219261fe77f (diff) | |
download | meta-enea-bsp-x86-cf3664b57f0dc010c27bce1103c89c22dc359641.tar.gz |
linux-intel: CVE-2017-11176
fix a use-after-free in sys_mq_notify()
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-11176
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-intel.inc | 5 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-intel/CVE-2017-11176.patch | 52 |
2 files changed, 56 insertions, 1 deletions
diff --git a/recipes-kernel/linux/linux-intel.inc b/recipes-kernel/linux/linux-intel.inc index 733a329..84fbf77 100644 --- a/recipes-kernel/linux/linux-intel.inc +++ b/recipes-kernel/linux/linux-intel.inc | |||
@@ -1,9 +1,12 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/linux-intel:" | ||
1 | require common/recipes-kernel/linux/linux-intel_4.9.bb | 2 | require common/recipes-kernel/linux/linux-intel_4.9.bb |
2 | require recipes-kernel/linux/linux-deploy-kconfig.inc | 3 | require recipes-kernel/linux/linux-deploy-kconfig.inc |
3 | 4 | ||
4 | SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b" | 5 | SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b" |
5 | KENEABRANCH = "intel-4.9" | 6 | KENEABRANCH = "intel-4.9" |
6 | SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta" | 7 | SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ |
8 | file://CVE-2017-11176.patch \ | ||
9 | " | ||
7 | 10 | ||
8 | KERNEL_FEATURES_append = " features/udev/udev.scc" | 11 | KERNEL_FEATURES_append = " features/udev/udev.scc" |
9 | 12 | ||
diff --git a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch new file mode 100644 index 0000000..e5e1ad3 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Cong Wang <xiyou.wangcong@gmail.com> | ||
3 | Date: Sun, 9 Jul 2017 13:19:55 -0700 | ||
4 | Subject: mqueue: fix a use-after-free in sys_mq_notify() | ||
5 | |||
6 | The retry logic for netlink_attachskb() inside sys_mq_notify() | ||
7 | is nasty and vulnerable: | ||
8 | |||
9 | 1) The sock refcnt is already released when retry is needed | ||
10 | 2) The fd is controllable by user-space because we already | ||
11 | release the file refcnt | ||
12 | |||
13 | so we when retry but the fd has been just closed by user-space | ||
14 | during this small window, we end up calling netlink_detachskb() | ||
15 | on the error path which releases the sock again, later when | ||
16 | the user-space closes this socket a use-after-free could be | ||
17 | triggered. | ||
18 | |||
19 | Setting 'sock' to NULL here should be sufficient to fix it. | ||
20 | CVE: CVE-2017-11176 | ||
21 | Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1] | ||
22 | |||
23 | Reported-by: GeneBlue <geneblue.mail@gmail.com> | ||
24 | Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> | ||
25 | Cc: Andrew Morton <akpm@linux-foundation.org> | ||
26 | Cc: Manfred Spraul <manfred@colorfullife.com> | ||
27 | Cc: stable@kernel.org | ||
28 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | ipc/mqueue.c | 4 +++- | ||
32 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/ipc/mqueue.c b/ipc/mqueue.c | ||
35 | index c9ff943..eb1391b 100644 | ||
36 | --- a/ipc/mqueue.c | ||
37 | +++ b/ipc/mqueue.c | ||
38 | @@ -1270,8 +1270,10 @@ retry: | ||
39 | |||
40 | timeo = MAX_SCHEDULE_TIMEOUT; | ||
41 | ret = netlink_attachskb(sock, nc, &timeo, NULL); | ||
42 | - if (ret == 1) | ||
43 | + if (ret == 1) { | ||
44 | + sock = NULL; | ||
45 | goto retry; | ||
46 | + } | ||
47 | if (ret) { | ||
48 | sock = NULL; | ||
49 | nc = NULL; | ||
50 | -- | ||
51 | cgit v1.1 | ||
52 | |||