[linux] 03/03: mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Aug 17 20:34:00 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit ce6f83b82ae319fa5b853966cdebb6d93d9311b7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 21:33:39 2017 +0100

    mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
---
 debian/changelog                                   |  1 +
 ...eue-fix-a-use-after-free-in-sys_mq_notify.patch | 45 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 47 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 83bffcf..47c5c97 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -93,6 +93,7 @@ linux (3.2.91-1) UNRELEASED; urgency=medium
 
   [ Ben Hutchings ]
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+  * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 03 Jul 2017 17:17:55 +0100
 
diff --git a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
new file mode 100644
index 0000000..baa937b
--- /dev/null
+++ b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
@@ -0,0 +1,45 @@
+From: Cong Wang <xiyou.wangcong at gmail.com>
+Date: Sun, 9 Jul 2017 13:19:55 -0700
+Subject: mqueue: fix a use-after-free in sys_mq_notify()
+Origin: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11176
+
+The retry logic for netlink_attachskb() inside sys_mq_notify()
+is nasty and vulnerable:
+
+1) The sock refcnt is already released when retry is needed
+2) The fd is controllable by user-space because we already
+   release the file refcnt
+
+so we when retry but the fd has been just closed by user-space
+during this small window, we end up calling netlink_detachskb()
+on the error path which releases the sock again, later when
+the user-space closes this socket a use-after-free could be
+triggered.
+
+Setting 'sock' to NULL here should be sufficient to fix it.
+
+Reported-by: GeneBlue <geneblue.mail at gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: stable at kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ ipc/mqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -1095,8 +1095,10 @@ retry:
+ 
+ 			timeo = MAX_SCHEDULE_TIMEOUT;
+ 			ret = netlink_attachskb(sock, nc, &timeo, NULL);
+-			if (ret == 1)
++			if (ret == 1) {
++				sock = NULL;
+ 				goto retry;
++			}
+ 			if (ret) {
+ 				sock = NULL;
+ 				nc = NULL;
diff --git a/debian/patches/series b/debian/patches/series
index d8ccdca..5d24aad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1112,6 +1112,7 @@ features/all/net-add-kfree_skb_list.patch
 bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
 bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list