kernel: net: rds: CVE-2015-7990

Fixes Race condition when sending message on unbound socket causing NULL pointer dereference. CVE-2015-7990 is a complete fix for CVE-2015-6937. References: https://lkml.org/lkml/2015/10/16/530 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7990 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-11-12 12:15:29 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-11-13 01:04:31 +0100
commit: 752848f86e67d0634c413e097363172f4f18d98b (patch)
tree: 7f7a82fba56ee7d2a78ddb48f53586021db57976 /recipes-kernel/linux/linux-hierofalcon
parent: e163d6cf5d6a525676f566841d6b898ff0c004fb (diff)
download: meta-hierofalcon-752848f86e67d0634c413e097363172f4f18d98b.tar.gz
1 files changed, 80 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
new file mode 100644
index 0000000..c73d743
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
@@ -0,0 +1,80 @@
+From    Quentin Casasnovas <>
+Subject [PATCH] RDS: fix race condition when sending a message on unbound
+socket.
+Date    Fri, 16 Oct 2015 17:11:42 +0200
+        
+Sasha's found a NULL pointer dereference in the RDS connection code when
+sending a message to an apparently unbound socket.  The problem is caused
+by the code checking if the socket is bound in rds_sendmsg(), which checks
+the rs_bound_addr field without taking a lock on the socket.  This opens a
+race where rs_bound_addr is temporarily set but where the transport is not
+in rds_bind(), leading to a NULL pointer dereference when trying to
+dereference 'trans' in __rds_conn_create().
+Vegard wrote a reproducer for this issue, so kindly ask him to share if
+you're interested.
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+with this patch, whereas I could without.
+Complete earlier incomplete fix to CVE-2015-6937:
+  74e98eb08588 ("RDS: verify the underlying transport exists before creating a
+connection")
+Fix for CVE-2015-7990, [from https://lkml.org/lkml/2015/10/16/530]
+Upstream-Status: Submitted
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Chien Yen <chien.yen@oracle.com>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+---
+ net/rds/connection.c | 6 ------
+ net/rds/send.c       | 4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+diff --git a/net/rds/connection.c b/net/rds/connection.c
+index 49adeef..9b2de5e 100644
+--- a/net/rds/connection.c
+++ b/net/rds/connection.c
+@@ -190,12 +190,6 @@ new_conn:
+                }
+        }
+-       if (trans == NULL) {
+-               kmem_cache_free(rds_conn_slab, conn);
+-               conn = ERR_PTR(-ENODEV);
+-               goto out;
+-       }
+-
+        conn->c_trans = trans;
+        ret = trans->conn_alloc(conn, gfp);
+diff --git a/net/rds/send.c b/net/rds/send.c
+index 4df61a5..859de6f 100644
+--- a/net/rds/send.c
+++ b/net/rds/send.c
+@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+                release_sock(sk);
+        }
+-       /* racing with another thread binding seems ok here */
+       lock_sock(sk);
+        if (daddr == 0 || rs->rs_bound_addr == 0) {
+               release_sock(sk);
+                ret = -ENOTCONN; /* XXX not a great errno */
+                goto out;
+        }
+       release_sock(sk);
+        if (payload_len > rds_sk_sndbuf(rs)) {
+                ret = -EMSGSIZE;
+--
+2.4.9
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-11-12 12:15:29 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-11-13 01:04:31 +0100
commit	752848f86e67d0634c413e097363172f4f18d98b (patch)
tree	7f7a82fba56ee7d2a78ddb48f53586021db57976 /recipes-kernel/linux/linux-hierofalcon
parent	e163d6cf5d6a525676f566841d6b898ff0c004fb (diff)
download	meta-hierofalcon-752848f86e67d0634c413e097363172f4f18d98b.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch new file mode 100644 index 0000000..c73d743 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
@@ -0,0 +1,80 @@
	1	From Quentin Casasnovas <>
	2	Subject [PATCH] RDS: fix race condition when sending a message on unbound
	3	socket.
	4	Date Fri, 16 Oct 2015 17:11:42 +0200
	5
	6
	7	Sasha's found a NULL pointer dereference in the RDS connection code when
	8	sending a message to an apparently unbound socket. The problem is caused
	9	by the code checking if the socket is bound in rds_sendmsg(), which checks
	10	the rs_bound_addr field without taking a lock on the socket. This opens a
	11	race where rs_bound_addr is temporarily set but where the transport is not
	12	in rds_bind(), leading to a NULL pointer dereference when trying to
	13	dereference 'trans' in __rds_conn_create().
	14
	15	Vegard wrote a reproducer for this issue, so kindly ask him to share if
	16	you're interested.
	17
	18	I cannot reproduce the NULL pointer dereference using Vegard's reproducer
	19	with this patch, whereas I could without.
	20
	21	Complete earlier incomplete fix to CVE-2015-6937:
	22
	23	74e98eb08588 ("RDS: verify the underlying transport exists before creating a
	24	connection")
	25
	26	Fix for CVE-2015-7990, [from https://lkml.org/lkml/2015/10/16/530]
	27
	28	Upstream-Status: Submitted
	29
	30	Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
	31	Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
	32	Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
	33	Cc: Vegard Nossum <vegard.nossum@oracle.com>
	34	Cc: Sasha Levin <sasha.levin@oracle.com>
	35	Cc: Chien Yen <chien.yen@oracle.com>
	36	Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
	37	Cc: David S. Miller <davem@davemloft.net>
	38	Cc: stable@vger.kernel.org
	39	---
	40	net/rds/connection.c \| 6 ------
	41	net/rds/send.c \| 4 +++-
	42	2 files changed, 3 insertions(+), 7 deletions(-)
	43	diff --git a/net/rds/connection.c b/net/rds/connection.c
	44	index 49adeef..9b2de5e 100644
	45	--- a/net/rds/connection.c
	46	+++ b/net/rds/connection.c
	47	@@ -190,12 +190,6 @@ new_conn:
	48	}
	49	}
	50
	51	- if (trans == NULL) {
	52	- kmem_cache_free(rds_conn_slab, conn);
	53	- conn = ERR_PTR(-ENODEV);
	54	- goto out;
	55	- }
	56	-
	57	conn->c_trans = trans;
	58
	59	ret = trans->conn_alloc(conn, gfp);
	60	diff --git a/net/rds/send.c b/net/rds/send.c
	61	index 4df61a5..859de6f 100644
	62	--- a/net/rds/send.c
	63	+++ b/net/rds/send.c
	64	@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket sock, struct msghdr msg, size_t payload_len)
	65	release_sock(sk);
	66	}
	67
	68	- /* racing with another thread binding seems ok here */
	69	+ lock_sock(sk);
	70	if (daddr == 0 \|\| rs->rs_bound_addr == 0) {
	71	+ release_sock(sk);
	72	ret = -ENOTCONN; /* XXX not a great errno */
	73	goto out;
	74	}
	75	+ release_sock(sk);
	76
	77	if (payload_len > rds_sk_sndbuf(rs)) {
	78	ret = -EMSGSIZE;
	79	--
	80	2.4.9