From 1d249380d6e9614e09ba9a71793ab26e47116650 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 14 Nov 2017 07:52:31 +0100
Subject: linux-cavium: CVE-2017-11176

fix a use-after-free in sys_mq_notify()

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-11176

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 .../linux/linux-cavium/CVE-2017-11176.patch        | 52 ++++++++++++++++++++++
 recipes-kernel/linux/linux-cavium_4.9.inc          |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch
new file mode 100644
index 0000000..a6bc539
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-11176.patch
@@ -0,0 +1,52 @@
+From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 9 Jul 2017 13:19:55 -0700
+Subject: mqueue: fix a use-after-free in sys_mq_notify()
+
+The retry logic for netlink_attachskb() inside sys_mq_notify()
+is nasty and vulnerable:
+
+1) The sock refcnt is already released when retry is needed
+2) The fd is controllable by user-space because we already
+   release the file refcnt
+
+so we when retry but the fd has been just closed by user-space
+during this small window, we end up calling netlink_detachskb()
+on the error path which releases the sock again, later when
+the user-space closes this socket a use-after-free could be
+triggered.
+
+Setting 'sock' to NULL here should be sufficient to fix it.
+CVE: CVE-2017-11176 
+Upstream-Status: Backport [from: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1]
+
+Reported-by: GeneBlue <geneblue.mail@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ipc/mqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index c9ff943..eb1391b 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -1270,8 +1270,10 @@ retry:
+ 
+ 			timeo = MAX_SCHEDULE_TIMEOUT;
+ 			ret = netlink_attachskb(sock, nc, &timeo, NULL);
+-			if (ret == 1)
++			if (ret == 1) {
++				sock = NULL;
+ 				goto retry;
++			}
+ 			if (ret) {
+ 				sock = NULL;
+ 				nc = NULL;
+-- 
+cgit v1.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 1c504fe..1758a30 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -39,6 +39,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-8831.patch \
            file://CVE-2017-1000364.patch \
            file://0001-openvswitch-fixed-kernel-crash.patch \
+           file://CVE-2017-11176.patch \
            "
 
 LINUX_KERNEL_TYPE = "tiny"
-- 
cgit v1.2.3-54-g00ecf