From: Greg Kroah-Hartman Date: Thu, 13 Jul 2017 12:08:23 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.61~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ea29c4e35659b0431df00176db66f51b4e76c2a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: mqueue-fix-a-use-after-free-in-sys_mq_notify.patch --- diff --git a/queue-4.11/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/queue-4.11/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch new file mode 100644 index 00000000000..b31d7d9d6ba --- /dev/null +++ b/queue-4.11/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch @@ -0,0 +1,49 @@ +From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 9 Jul 2017 13:19:55 -0700 +Subject: mqueue: fix a use-after-free in sys_mq_notify() + +From: Cong Wang + +commit f991af3daabaecff34684fd51fac80319d1baad1 upstream. + +The retry logic for netlink_attachskb() inside sys_mq_notify() +is nasty and vulnerable: + +1) The sock refcnt is already released when retry is needed +2) The fd is controllable by user-space because we already + release the file refcnt + +so we when retry but the fd has been just closed by user-space +during this small window, we end up calling netlink_detachskb() +on the error path which releases the sock again, later when +the user-space closes this socket a use-after-free could be +triggered. + +Setting 'sock' to NULL here should be sufficient to fix it. + +Reported-by: GeneBlue +Signed-off-by: Cong Wang +Cc: Andrew Morton +Cc: Manfred Spraul +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/mqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1253,8 +1253,10 @@ retry: + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL;