kernel: net: rds: CVE-2015-6937

Fixes NULL pointer dereference in net/rds/connection.c Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ ?id=74e98eb085889b0d2d4908f59f6e00026063014f Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6937 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-11-12 12:15:28 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-11-13 01:04:23 +0100
commit: e163d6cf5d6a525676f566841d6b898ff0c004fb (patch)
tree: 8cda41dc2f23b586ae24998ed57120d7334a3bb1 /recipes-kernel/linux/linux-hierofalcon
parent: 8e23157605049aaf851acdc272e50477b2331fdd (diff)
download: meta-hierofalcon-e163d6cf5d6a525676f566841d6b898ff0c004fb.tar.gz
1 files changed, 83 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch
new file mode 100644
index 0000000..e4c7ce1
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch
@@ -0,0 +1,83 @@
+From 74e98eb085889b0d2d4908f59f6e00026063014f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue, 8 Sep 2015 10:53:40 -0400
+Subject: [PATCH] RDS: verify the underlying transport exists before creating a
+ connection
+There was no verification that an underlying transport exists when creating
+a connection, this would cause dereferencing a NULL ptr.
+It might happen on sockets that weren't properly bound before attempting to
+send a message, which will cause a NULL ptr deref:
+[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+[135546.051270] Modules linked in:
+[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+[135546.055666] RSP: 0018:ffff8800bc70fab0  EFLAGS: 00010202
+[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+[135546.061668] FS:  00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+[135546.062836] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+[135546.064723] Stack:
+[135546.065048]  ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+[135546.066247]  0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+[135546.067438]  1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+[135546.068629] Call Trace:
+[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+[135546.071981] rds_sendmsg (net/rds/send.c:1058)
+[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+[135546.076349] ? __might_fault (mm/memory.c:3795)
+[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+[135546.078856] SYSC_sendto (net/socket.c:1657)
+[135546.079596] ? SYSC_connect (net/socket.c:1628)
+[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+Fixes CVE-2015-6937.
+Upstream-Status: Backport
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/rds/connection.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/net/rds/connection.c b/net/rds/connection.c
+index 9b2de5e..49adeef 100644
+--- a/net/rds/connection.c
+++ b/net/rds/connection.c
+@@ -190,6 +190,12 @@ new_conn:
+                }
+        }
+ 
+       if (trans == NULL) {
+               kmem_cache_free(rds_conn_slab, conn);
+               conn = ERR_PTR(-ENODEV);
+               goto out;
+       }
+
+        conn->c_trans = trans;
+ 
+        ret = trans->conn_alloc(conn, gfp);
+-- 
+1.9.1
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-11-12 12:15:28 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-11-13 01:04:23 +0100
commit	e163d6cf5d6a525676f566841d6b898ff0c004fb (patch)
tree	8cda41dc2f23b586ae24998ed57120d7334a3bb1 /recipes-kernel/linux/linux-hierofalcon
parent	8e23157605049aaf851acdc272e50477b2331fdd (diff)
download	meta-hierofalcon-e163d6cf5d6a525676f566841d6b898ff0c004fb.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch new file mode 100644 index 0000000..e4c7ce1 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch
@@ -0,0 +1,83 @@
	1	From 74e98eb085889b0d2d4908f59f6e00026063014f Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sasha.levin@oracle.com>
	3	Date: Tue, 8 Sep 2015 10:53:40 -0400
	4	Subject: [PATCH] RDS: verify the underlying transport exists before creating a
	5	connection
	6
	7	There was no verification that an underlying transport exists when creating
	8	a connection, this would cause dereferencing a NULL ptr.
	9
	10	It might happen on sockets that weren't properly bound before attempting to
	11	send a message, which will cause a NULL ptr deref:
	12
	13	[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
	14	[135546.051270] Modules linked in:
	15	[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
	16	[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
	17	[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
	18	[135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
	19	[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
	20	[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
	21	[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
	22	[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
	23	[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
	24	[135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
	25	[135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
	26	[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
	27	[135546.064723] Stack:
	28	[135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
	29	[135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
	30	[135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
	31	[135546.068629] Call Trace:
	32	[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
	33	[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
	34	[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
	35	[135546.071981] rds_sendmsg (net/rds/send.c:1058)
	36	[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
	37	[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
	38	[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
	39	[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
	40	[135546.076349] ? __might_fault (mm/memory.c:3795)
	41	[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
	42	[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
	43	[135546.078856] SYSC_sendto (net/socket.c:1657)
	44	[135546.079596] ? SYSC_connect (net/socket.c:1628)
	45	[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
	46	[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
	47	[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
	48	[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
	49	[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
	50	[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
	51	[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
	52
	53	Fixes CVE-2015-6937.
	54	Upstream-Status: Backport
	55
	56	Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
	57	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
	58	Signed-off-by: David S. Miller <davem@davemloft.net>
	59	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	60	---
	61	net/rds/connection.c \| 6 ++++++
	62	1 file changed, 6 insertions(+)
	63
	64	diff --git a/net/rds/connection.c b/net/rds/connection.c
	65	index 9b2de5e..49adeef 100644
	66	--- a/net/rds/connection.c
	67	+++ b/net/rds/connection.c
	68	@@ -190,6 +190,12 @@ new_conn:
	69	}
	70	}
	71
	72	+ if (trans == NULL) {
	73	+ kmem_cache_free(rds_conn_slab, conn);
	74	+ conn = ERR_PTR(-ENODEV);
	75	+ goto out;
	76	+ }
	77	+
	78	conn->c_trans = trans;
	79
	80	ret = trans->conn_alloc(conn, gfp);
	81	--
	82	1.9.1
	83