[linux] 01/02: packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)

Fri Aug 11 07:35:56 UTC 2017

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository linux.

commit 3b6247dba42d12c7dbcaad64d7ab0e7342e9437b
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Aug 11 09:08:42 2017 +0200

    packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
---
 debian/changelog                                   |  1 +
 ...et-fix-tp_reserve-race-in-packet_set_ring.patch | 51 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 53 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 766d60f..dee0e3f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -257,6 +257,7 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
   * media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
+  * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
 
   [ Uwe Kleine-König ]
   * [arm64] enable MMC_SDHCI_XENON and MVNETA for Espressobin and enable
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
new file mode 100644
index 0000000..d6e14ad
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
@@ -0,0 +1,51 @@
+From: Willem de Bruijn <willemb at google.com>
+Date: Thu, 10 Aug 2017 12:41:58 -0400
+Subject: packet: fix tp_reserve race in packet_set_ring
+Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
+
+Updates to tp_reserve can race with reads of the field in
+packet_set_ring. Avoid this by holding the socket lock during
+updates in setsockopt PACKET_RESERVE.
+
+This bug was discovered by syzkaller.
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 0615c2a950fa..008a45ca3112 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		if (val > INT_MAX)
+ 			return -EINVAL;
+-		po->tp_reserve = val;
+-		return 0;
++		lock_sock(sk);
++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++			ret = -EBUSY;
++		} else {
++			po->tp_reserve = val;
++			ret = 0;
++		}
++		release_sock(sk);
++		return ret;
+ 	}
+ 	case PACKET_LOSS:
+ 	{
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 6cf81f4..95ad2ae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
 bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
+bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

