From cf3664b57f0dc010c27bce1103c89c22dc359641 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 16 Nov 2017 09:38:46 +0100 Subject: linux-intel: CVE-2017-11176 fix a use-after-free in sys_mq_notify() Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-11176 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-kernel/linux/linux-intel.inc | 5 ++- .../linux/linux-intel/CVE-2017-11176.patch | 52 ++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 recipes-kernel/linux/linux-intel/CVE-2017-11176.patch diff --git a/recipes-kernel/linux/linux-intel.inc b/recipes-kernel/linux/linux-intel.inc index 733a329..84fbf77 100644 --- a/recipes-kernel/linux/linux-intel.inc +++ b/recipes-kernel/linux/linux-intel.inc @@ -1,9 +1,12 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux-intel:" require common/recipes-kernel/linux/linux-intel_4.9.bb require recipes-kernel/linux/linux-deploy-kconfig.inc SRCREV_metaenea = "7579efbdb49529f36652b69d4630c6c43907f77b" KENEABRANCH = "intel-4.9" -SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta" +SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \ + file://CVE-2017-11176.patch \ + " KERNEL_FEATURES_append = " features/udev/udev.scc" diff --git a/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch new file mode 100644 index 0000000..e5e1ad3 --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2017-11176.patch @@ -0,0 +1,52 @@ +From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 9 Jul 2017 13:19:55 -0700 +Subject: mqueue: fix a use-after-free in sys_mq_notify() + +The retry logic for netlink_attachskb() inside sys_mq_notify() +is nasty and vulnerable: + +1) The sock refcnt is already released when retry is needed +2) The fd is controllable by user-space because we already + release the file refcnt + +so we when retry but the fd has been just closed by user-space +during this small window, we end up calling netlink_detachskb() +on the error path which releases the sock again, later when +the user-space closes this socket a use-after-free could be +triggered. + +Setting 'sock' to NULL here should be sufficient to fix it. +CVE: CVE-2017-11176 +Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1] + +Reported-by: GeneBlue +Signed-off-by: Cong Wang +Cc: Andrew Morton +Cc: Manfred Spraul +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sona Sarmadi +--- + ipc/mqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index c9ff943..eb1391b 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1270,8 +1270,10 @@ retry: + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL; +-- +cgit v1.1 + -- cgit v1.2.3-54-g00ecf