[linux] 03/03: RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Sep 19 01:27:48 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 57644b0054233fdd55c77208ab454239af0b7bb7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Sep 19 03:25:49 2015 +0200

    RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937)
---
 debian/changelog                                   |  2 +
 ...the-underlying-transport-exists-before-cr.patch | 74 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 77 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8dd0d2d..8a5b911 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ linux (4.2-1~exp2) UNRELEASED; urgency=medium
     - vfs: Test for and handle paths that are unreachable from their mnt_root
   * aufs: Update support patches to aufs4.x-rcN-20150921
     - mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
+  * RDS: verify the underlying transport exists before creating a connection
+    (CVE-2015-6937)
 
   [ Aurelien Jarno ]
   * [mips*el] Fix BPF assembly code for pre-R2 CPUs. (fixes FTBFS)
diff --git a/debian/patches/bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch b/debian/patches/bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
new file mode 100644
index 0000000..0068818
--- /dev/null
+++ b/debian/patches/bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
@@ -0,0 +1,74 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Tue, 8 Sep 2015 10:53:40 -0400
+Subject: RDS: verify the underlying transport exists before creating a
+ connection
+Origin: https://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f
+
+There was no verification that an underlying transport exists when creating
+a connection, this would cause dereferencing a NULL ptr.
+
+It might happen on sockets that weren't properly bound before attempting to
+send a message, which will cause a NULL ptr deref:
+
+[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+[135546.051270] Modules linked in:
+[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+[135546.055666] RSP: 0018:ffff8800bc70fab0  EFLAGS: 00010202
+[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+[135546.061668] FS:  00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+[135546.062836] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+[135546.064723] Stack:
+[135546.065048]  ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+[135546.066247]  0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+[135546.067438]  1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+[135546.068629] Call Trace:
+[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+[135546.071981] rds_sendmsg (net/rds/send.c:1058)
+[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+[135546.076349] ? __might_fault (mm/memory.c:3795)
+[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+[135546.078856] SYSC_sendto (net/socket.c:1657)
+[135546.079596] ? SYSC_connect (net/socket.c:1628)
+[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+Acked-by: Santosh Shilimkar <santosh.shilimkar at oracle.com>
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/connection.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -187,6 +187,12 @@ new_conn:
+ 		}
+ 	}
+ 
++	if (trans == NULL) {
++		kmem_cache_free(rds_conn_slab, conn);
++		conn = ERR_PTR(-ENODEV);
++		goto out;
++	}
++
+ 	conn->c_trans = trans;
+ 
+ 	ret = trans->conn_alloc(conn, gfp);
diff --git a/debian/patches/series b/debian/patches/series
index 84f548f..0249b65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -94,3 +94,4 @@ bugfix/all/workqueue-make-flush_workqueue-available-again-to-no.patch
 bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
 bugfix/all/dcache-reduce-the-scope-of-i_lock-in-d_splice_alias.patch
 bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
+bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list