diff options
Diffstat (limited to 'recipes-kernel/linux/linux-intel/CVE-2017-11176.patch')
-rw-r--r-- | recipes-kernel/linux/linux-intel/CVE-2017-11176.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch deleted file mode 100644 index e5e1ad3..0000000 --- a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Cong Wang <xiyou.wangcong@gmail.com> | ||
3 | Date: Sun, 9 Jul 2017 13:19:55 -0700 | ||
4 | Subject: mqueue: fix a use-after-free in sys_mq_notify() | ||
5 | |||
6 | The retry logic for netlink_attachskb() inside sys_mq_notify() | ||
7 | is nasty and vulnerable: | ||
8 | |||
9 | 1) The sock refcnt is already released when retry is needed | ||
10 | 2) The fd is controllable by user-space because we already | ||
11 | release the file refcnt | ||
12 | |||
13 | so we when retry but the fd has been just closed by user-space | ||
14 | during this small window, we end up calling netlink_detachskb() | ||
15 | on the error path which releases the sock again, later when | ||
16 | the user-space closes this socket a use-after-free could be | ||
17 | triggered. | ||
18 | |||
19 | Setting 'sock' to NULL here should be sufficient to fix it. | ||
20 | CVE: CVE-2017-11176 | ||
21 | Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1] | ||
22 | |||
23 | Reported-by: GeneBlue <geneblue.mail@gmail.com> | ||
24 | Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> | ||
25 | Cc: Andrew Morton <akpm@linux-foundation.org> | ||
26 | Cc: Manfred Spraul <manfred@colorfullife.com> | ||
27 | Cc: stable@kernel.org | ||
28 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | ipc/mqueue.c | 4 +++- | ||
32 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/ipc/mqueue.c b/ipc/mqueue.c | ||
35 | index c9ff943..eb1391b 100644 | ||
36 | --- a/ipc/mqueue.c | ||
37 | +++ b/ipc/mqueue.c | ||
38 | @@ -1270,8 +1270,10 @@ retry: | ||
39 | |||
40 | timeo = MAX_SCHEDULE_TIMEOUT; | ||
41 | ret = netlink_attachskb(sock, nc, &timeo, NULL); | ||
42 | - if (ret == 1) | ||
43 | + if (ret == 1) { | ||
44 | + sock = NULL; | ||
45 | goto retry; | ||
46 | + } | ||
47 | if (ret) { | ||
48 | sock = NULL; | ||
49 | nc = NULL; | ||
50 | -- | ||
51 | cgit v1.1 | ||
52 | |||