From: Greg Kroah-Hartman Date: Thu, 13 Jul 2017 12:08:54 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.61~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2966335b44eb5a044545f697edefd8ad7034bdc4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: mqueue-fix-a-use-after-free-in-sys_mq_notify.patch --- diff --git a/queue-4.4/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/queue-4.4/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch new file mode 100644 index 00000000000..e5920c56a34 --- /dev/null +++ b/queue-4.4/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch @@ -0,0 +1,49 @@ +From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 9 Jul 2017 13:19:55 -0700 +Subject: mqueue: fix a use-after-free in sys_mq_notify() + +From: Cong Wang + +commit f991af3daabaecff34684fd51fac80319d1baad1 upstream. + +The retry logic for netlink_attachskb() inside sys_mq_notify() +is nasty and vulnerable: + +1) The sock refcnt is already released when retry is needed +2) The fd is controllable by user-space because we already + release the file refcnt + +so we when retry but the fd has been just closed by user-space +during this small window, we end up calling netlink_detachskb() +on the error path which releases the sock again, later when +the user-space closes this socket a use-after-free could be +triggered. + +Setting 'sock' to NULL here should be sufficient to fix it. + +Reported-by: GeneBlue +Signed-off-by: Cong Wang +Cc: Andrew Morton +Cc: Manfred Spraul +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/mqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1251,8 +1251,10 @@ retry: + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL;