kernel: net: rds: CVE-2015-7990

Fixes Race condition when sending message on unbound socket causing NULL pointer dereference. CVE-2015-7990 is a complete fix for CVE-2015-6937. References: https://lkml.org/lkml/2015/10/16/530 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7990 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-11-12 12:15:29 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-11-13 01:04:31 +0100
commit: 752848f86e67d0634c413e097363172f4f18d98b (patch)
tree: 7f7a82fba56ee7d2a78ddb48f53586021db57976 /recipes-kernel/linux
parent: e163d6cf5d6a525676f566841d6b898ff0c004fb (diff)
download: meta-hierofalcon-752848f86e67d0634c413e097363172f4f18d98b.tar.gz
3 files changed, 82 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
new file mode 100644
index 0000000..c73d743
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
@@ -0,0 +1,80 @@
+From    Quentin Casasnovas <>
+Subject [PATCH] RDS: fix race condition when sending a message on unbound
+socket.
+Date    Fri, 16 Oct 2015 17:11:42 +0200
+        
+Sasha's found a NULL pointer dereference in the RDS connection code when
+sending a message to an apparently unbound socket.  The problem is caused
+by the code checking if the socket is bound in rds_sendmsg(), which checks
+the rs_bound_addr field without taking a lock on the socket.  This opens a
+race where rs_bound_addr is temporarily set but where the transport is not
+in rds_bind(), leading to a NULL pointer dereference when trying to
+dereference 'trans' in __rds_conn_create().
+Vegard wrote a reproducer for this issue, so kindly ask him to share if
+you're interested.
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+with this patch, whereas I could without.
+Complete earlier incomplete fix to CVE-2015-6937:
+  74e98eb08588 ("RDS: verify the underlying transport exists before creating a
+connection")
+Fix for CVE-2015-7990, [from https://lkml.org/lkml/2015/10/16/530]
+Upstream-Status: Submitted
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Chien Yen <chien.yen@oracle.com>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+---
+ net/rds/connection.c | 6 ------
+ net/rds/send.c       | 4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+diff --git a/net/rds/connection.c b/net/rds/connection.c
+index 49adeef..9b2de5e 100644
+--- a/net/rds/connection.c
+++ b/net/rds/connection.c
+@@ -190,12 +190,6 @@ new_conn:
+                }
+        }
+-       if (trans == NULL) {
+-               kmem_cache_free(rds_conn_slab, conn);
+-               conn = ERR_PTR(-ENODEV);
+-               goto out;
+-       }
+-
+        conn->c_trans = trans;
+        ret = trans->conn_alloc(conn, gfp);
+diff --git a/net/rds/send.c b/net/rds/send.c
+index 4df61a5..859de6f 100644
+--- a/net/rds/send.c
+++ b/net/rds/send.c
+@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+                release_sock(sk);
+        }
+-       /* racing with another thread binding seems ok here */
+       lock_sock(sk);
+        if (daddr == 0 || rs->rs_bound_addr == 0) {
+               release_sock(sk);
+                ret = -ENOTCONN; /* XXX not a great errno */
+                goto out;
+        }
+       release_sock(sk);
+        if (payload_len > rds_sk_sndbuf(rs)) {
+                ret = -EMSGSIZE;
+--
+2.4.9
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 45df7b3..45a2ece 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
           file://keys-CVE-2015-1333.patch \
           file://udp_fix_behavior_of_wrong_checksums.patch \
           file://RDS-CVE-2015-6937.patch \
+           file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
           "
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 85e5fe3..f927122 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
           file://defconfig \
           file://keys-CVE-2015-1333.patch \
           file://RDS-CVE-2015-6937.patch \
+           file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
           "
 S = "${WORKDIR}/git"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-11-12 12:15:29 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-11-13 01:04:31 +0100
commit	752848f86e67d0634c413e097363172f4f18d98b (patch)
tree	7f7a82fba56ee7d2a78ddb48f53586021db57976 /recipes-kernel/linux
parent	e163d6cf5d6a525676f566841d6b898ff0c004fb (diff)
download	meta-hierofalcon-752848f86e67d0634c413e097363172f4f18d98b.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch new file mode 100644 index 0000000..c73d743 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch
@@ -0,0 +1,80 @@
		1	From Quentin Casasnovas <>
		2	Subject [PATCH] RDS: fix race condition when sending a message on unbound
		3	socket.
		4	Date Fri, 16 Oct 2015 17:11:42 +0200
		5
		6
		7	Sasha's found a NULL pointer dereference in the RDS connection code when
		8	sending a message to an apparently unbound socket. The problem is caused
		9	by the code checking if the socket is bound in rds_sendmsg(), which checks
		10	the rs_bound_addr field without taking a lock on the socket. This opens a
		11	race where rs_bound_addr is temporarily set but where the transport is not
		12	in rds_bind(), leading to a NULL pointer dereference when trying to
		13	dereference 'trans' in __rds_conn_create().
		14
		15	Vegard wrote a reproducer for this issue, so kindly ask him to share if
		16	you're interested.
		17
		18	I cannot reproduce the NULL pointer dereference using Vegard's reproducer
		19	with this patch, whereas I could without.
		20
		21	Complete earlier incomplete fix to CVE-2015-6937:
		22
		23	74e98eb08588 ("RDS: verify the underlying transport exists before creating a
		24	connection")
		25
		26	Fix for CVE-2015-7990, [from https://lkml.org/lkml/2015/10/16/530]
		27
		28	Upstream-Status: Submitted
		29
		30	Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
		31	Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
		32	Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
		33	Cc: Vegard Nossum <vegard.nossum@oracle.com>
		34	Cc: Sasha Levin <sasha.levin@oracle.com>
		35	Cc: Chien Yen <chien.yen@oracle.com>
		36	Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
		37	Cc: David S. Miller <davem@davemloft.net>
		38	Cc: stable@vger.kernel.org
		39	---
		40	net/rds/connection.c \| 6 ------
		41	net/rds/send.c \| 4 +++-
		42	2 files changed, 3 insertions(+), 7 deletions(-)
		43	diff --git a/net/rds/connection.c b/net/rds/connection.c
		44	index 49adeef..9b2de5e 100644
		45	--- a/net/rds/connection.c
		46	+++ b/net/rds/connection.c
		47	@@ -190,12 +190,6 @@ new_conn:
		48	}
		49	}
		50
		51	- if (trans == NULL) {
		52	- kmem_cache_free(rds_conn_slab, conn);
		53	- conn = ERR_PTR(-ENODEV);
		54	- goto out;
		55	- }
		56	-
		57	conn->c_trans = trans;
		58
		59	ret = trans->conn_alloc(conn, gfp);
		60	diff --git a/net/rds/send.c b/net/rds/send.c
		61	index 4df61a5..859de6f 100644
		62	--- a/net/rds/send.c
		63	+++ b/net/rds/send.c
		64	@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket sock, struct msghdr msg, size_t payload_len)
		65	release_sock(sk);
		66	}
		67
		68	- /* racing with another thread binding seems ok here */
		69	+ lock_sock(sk);
		70	if (daddr == 0 \|\| rs->rs_bound_addr == 0) {
		71	+ release_sock(sk);
		72	ret = -ENOTCONN; /* XXX not a great errno */
		73	goto out;
		74	}
		75	+ release_sock(sk);
		76
		77	if (payload_len > rds_sk_sndbuf(rs)) {
		78	ret = -EMSGSIZE;
		79	--
		80	2.4.9


diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 45df7b3..45a2ece 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
18	file://keys-CVE-2015-1333.patch \	18	file://keys-CVE-2015-1333.patch \
19	file://udp_fix_behavior_of_wrong_checksums.patch \	19	file://udp_fix_behavior_of_wrong_checksums.patch \
20	file://RDS-CVE-2015-6937.patch \	20	file://RDS-CVE-2015-6937.patch \
		21	file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
21	"	22	"
22		23
23	S = "${WORKDIR}/git"	24	S = "${WORKDIR}/git"


diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 85e5fe3..f927122 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
23	file://defconfig \	23	file://defconfig \
24	file://keys-CVE-2015-1333.patch \	24	file://keys-CVE-2015-1333.patch \
25	file://RDS-CVE-2015-6937.patch \	25	file://RDS-CVE-2015-6937.patch \
		26	file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
26	"	27	"
27		28
28	S = "${WORKDIR}/git"	29	S = "${WORKDIR}/git"