[linux] 01/01: af_unix: Guard against other == sk in unix_dgram_sendmsg
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Feb 17 16:56:29 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit 28c0c02e7340799f17ad49ca36aeffa648fb4e12
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Feb 17 16:49:10 2016 +0000
af_unix: Guard against other == sk in unix_dgram_sendmsg
Fixes a regression in 2.6.32-48squeeze17 introduced by fix for CVE-2013-7446.
---
debian/changelog | 2 ++
...rd-against-other-sk-in-unix_dgram_sendmsg.patch | 40 ++++++++++++++++++++++
debian/patches/series/48squeeze20 | 1 +
3 files changed, 43 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 7029b5c..e858858 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ linux-2.6 (2.6.32-48squeeze20) UNRELEASED; urgency=medium
(CVE-2015-8812)
* iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
* ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384)
+ * af_unix: Guard against other == sk in unix_dgram_sendmsg
+ (regression in 2.6.32-48squeeze17)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 13 Feb 2016 18:55:35 +0000
diff --git a/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch b/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
new file mode 100644
index 0000000..7e119b4
--- /dev/null
+++ b/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
@@ -0,0 +1,40 @@
+From: Rainer Weikusat <rweikusat at mobileactivedefense.com>
+Date: Thu, 11 Feb 2016 19:37:27 +0000
+Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg
+Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com
+
+The unix_dgram_sendmsg routine use the following test
+
+if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+
+to determine if sk and other are in an n:1 association (either
+established via connect or by using sendto to send messages to an
+unrelated socket identified by address). This isn't correct as the
+specified address could have been bound to the sending socket itself or
+because this socket could have been connected to itself by the time of
+the unix_peer_get but disconnected before the unix_state_lock(other). In
+both cases, the if-block would be entered despite other == sk which
+might either block the sender unintentionally or lead to trying to unlock
+the same spin lock twice for a non-blocking send. Add a other != sk
+check to guard against this.
+
+Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
+Reported-By: Philipp Hahn <pmhahn at pmhahn.de>
+Signed-off-by: Rainer Weikusat <rweikusat at mobileactivedefense.com>
+---
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1616,7 +1616,12 @@ restart_locked:
+ goto out_unlock;
+ }
+
+- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
++ /* other == sk && unix_peer(other) != sk if
++ * - unix_peer(sk) == NULL, destination address bound to sk
++ * - unix_peer(sk) == sk by time of get but disconnected before lock
++ */
++ if (other != sk &&
++ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ if (timeo) {
+ timeo = unix_wait_for_peer(other, timeo);
+
diff --git a/debian/patches/series/48squeeze20 b/debian/patches/series/48squeeze20
index 7d1e90d..92985e7 100644
--- a/debian/patches/series/48squeeze20
+++ b/debian/patches/series/48squeeze20
@@ -2,3 +2,4 @@
+ bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch
+ bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
+ bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
++ bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list