From: Greg Kroah-Hartman Date: Thu, 13 Jul 2017 12:08:05 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.61~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=974137dadcc3cdc3b2d15a9f14e1ce8800e87e80;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: mqueue-fix-a-use-after-free-in-sys_mq_notify.patch --- diff --git a/queue-3.18/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/queue-3.18/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch new file mode 100644 index 00000000000..45e6f6ea1ad --- /dev/null +++ b/queue-3.18/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch @@ -0,0 +1,49 @@ +From f991af3daabaecff34684fd51fac80319d1baad1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 9 Jul 2017 13:19:55 -0700 +Subject: mqueue: fix a use-after-free in sys_mq_notify() + +From: Cong Wang + +commit f991af3daabaecff34684fd51fac80319d1baad1 upstream. + +The retry logic for netlink_attachskb() inside sys_mq_notify() +is nasty and vulnerable: + +1) The sock refcnt is already released when retry is needed +2) The fd is controllable by user-space because we already + release the file refcnt + +so we when retry but the fd has been just closed by user-space +during this small window, we end up calling netlink_detachskb() +on the error path which releases the sock again, later when +the user-space closes this socket a use-after-free could be +triggered. + +Setting 'sock' to NULL here should be sufficient to fix it. + +Reported-by: GeneBlue +Signed-off-by: Cong Wang +Cc: Andrew Morton +Cc: Manfred Spraul +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/mqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1239,8 +1239,10 @@ retry: + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL; diff --git a/queue-3.18/series b/queue-3.18/series index 454e6648213..cadcad4be29 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -15,3 +15,4 @@ pinctrl-sh-pfc-update-info-pointer-after-soc-specific-init.patch usb-serial-option-add-two-longcheer-device-ids.patch usb-serial-qcserial-new-sierra-wireless-em7305-device-id.patch keys-fix-an-error-code-in-request_master_key.patch +mqueue-fix-a-use-after-free-in-sys_mq_notify.patch diff --git a/queue-4.11/series b/queue-4.11/series new file mode 100644 index 00000000000..379a42bd5b1 --- /dev/null +++ b/queue-4.11/series @@ -0,0 +1 @@ +mqueue-fix-a-use-after-free-in-sys_mq_notify.patch diff --git a/queue-4.12/series b/queue-4.12/series new file mode 100644 index 00000000000..379a42bd5b1 --- /dev/null +++ b/queue-4.12/series @@ -0,0 +1 @@ +mqueue-fix-a-use-after-free-in-sys_mq_notify.patch diff --git a/queue-4.4/series b/queue-4.4/series index 5f3a8341763..1353e5082ae 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -27,3 +27,4 @@ x86-uaccess-optimize-copy_user_enhanced_fast_string-for-short-strings.patch ath10k-override-ce5-config-for-qca9377.patch keys-fix-an-error-code-in-request_master_key.patch rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch +mqueue-fix-a-use-after-free-in-sys_mq_notify.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..379a42bd5b1 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1 @@ +mqueue-fix-a-use-after-free-in-sys_mq_notify.patch