[linux] 06/06: ppp: take reference on channels netns (CVE-2016-4805)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Jun 24 19:56:45 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit c229ea289ce0e27f61cd1b2baa818e29cbcef99d
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Fri Jun 24 21:56:17 2016 +0200

    ppp: take reference on channels netns (CVE-2016-4805)
---
 debian/changelog                                   |   1 +
 .../all/ppp-take-reference-on-channels-netns.patch | 144 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 146 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d362b84..688d827 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -40,6 +40,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
   * net: fix infoleak in rtnetlink (CVE-2016-4486)
   * net: fix a kernel infoleak in x25 module (CVE-2016-4580)
   * IB/security: Restrict use of the write() interface (CVE-2016-4565)
+  * ppp: take reference on channels netns (CVE-2016-4805)
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/ppp-take-reference-on-channels-netns.patch b/debian/patches/bugfix/all/ppp-take-reference-on-channels-netns.patch
new file mode 100644
index 0000000..d839d46
--- /dev/null
+++ b/debian/patches/bugfix/all/ppp-take-reference-on-channels-netns.patch
@@ -0,0 +1,144 @@
+From: Guillaume Nault <g.nault at alphalink.fr>
+Date: Wed, 23 Mar 2016 16:38:55 +0100
+Subject: ppp: take reference on channels netns
+Origin: https://git.kernel.org/linus/1f461dcdd296eecedaffffc6bae2bfa90bd7eb89
+
+Let channels hold a reference on their network namespace.
+Some channel types, like ppp_async and ppp_synctty, can have their
+userspace controller running in a different namespace. Therefore they
+can't rely on them to preclude their netns from being removed from
+under them.
+
+==================================================================
+BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
+addr ffff880064e217e0
+Read of size 8 by task syz-executor/11581
+=============================================================================
+BUG net_namespace (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
+[<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
+[<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
+[<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
+[<     inline     >] slab_alloc kernel/mm/slub.c:2574
+[<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
+[<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
+[<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
+[<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
+[<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
+[<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
+[<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
+[<     inline     >] copy_process kernel/kernel/fork.c:1274
+[<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
+[<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
+[<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
+[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
+
+INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
+[<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
+[<     inline     >] slab_free kernel/mm/slub.c:2805
+[<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
+[<     inline     >] net_free kernel/net/core/net_namespace.c:341
+[<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
+[<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
+[<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
+[<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
+[<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
+[<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
+INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
+flags=0x5fffc0000004080
+INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
+
+CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+ 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
+ ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
+ ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
+Call Trace:
+ [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
+ [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
+ [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
+ [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
+ [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
+ [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
+ [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
+ [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
+ [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
+ [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
+ [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
+ [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
+ [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
+ [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
+ [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
+ [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
+ [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
+ [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
+ [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
+ [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
+ [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
+ [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
+ [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
+ [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
+ [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
+ [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
+ [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
+ [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
+ [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
+ [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
+ [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
+ [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
+ [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
+ [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
+ [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
+ [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
+ [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
+ [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
+ [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
+ [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
+ [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
+Memory state around the buggy address:
+ ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                                       ^
+ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
+Reported-by: Baozeng Ding <sploving1 at gmail.com>
+Signed-off-by: Guillaume Nault <g.nault at alphalink.fr>
+Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/ppp/ppp_generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -2238,7 +2238,7 @@ int ppp_register_net_channel(struct net
+ 
+ 	pch->ppp = NULL;
+ 	pch->chan = chan;
+-	pch->chan_net = net;
++	pch->chan_net = get_net(net);
+ 	chan->ppp = pch;
+ 	init_ppp_file(&pch->file, CHANNEL);
+ 	pch->file.hdrlen = chan->hdrlen;
+@@ -2335,6 +2335,8 @@ ppp_unregister_channel(struct ppp_channe
+ 	spin_lock_bh(&pn->all_channels_lock);
+ 	list_del(&pch->list);
+ 	spin_unlock_bh(&pn->all_channels_lock);
++	put_net(pch->chan_net);
++	pch->chan_net = NULL;
+ 
+ 	pch->file.dead = 1;
+ 	wake_up_interruptible(&pch->file.rwait);
diff --git a/debian/patches/series b/debian/patches/series
index f0198e2..9766e20 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -701,3 +701,4 @@ bugfix/all/net-fix-infoleak-in-llc.patch
 bugfix/all/net-fix-infoleak-in-rtnetlink.patch
 bugfix/all/net-fix-a-kernel-infoleak-in-x25-module.patch
 bugfix/all/ib-security-restrict-use-of-the-write-interface.patch
+bugfix/all/ppp-take-reference-on-channels-netns.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list