[linux] 02/03: packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Aug 17 23:59:40 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch-security
in repository linux.
commit cad5bfad77a5c4f82896ac31853c18ddba5150ca
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Aug 17 23:05:38 2017 +0100
packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
---
debian/changelog | 1 +
...et-fix-tp_reserve-race-in-packet_set_ring.patch | 46 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 48 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f6e4719..8a73185 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
* ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
(CVE-2017-1000380)
* xfrm: policy: check policy direction value (CVE-2017-11600)
+ * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 15:21:20 +0100
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
new file mode 100644
index 0000000..f2637f4
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
@@ -0,0 +1,46 @@
+From: Willem de Bruijn <willemb at google.com>
+Date: Thu, 10 Aug 2017 12:41:58 -0400
+Subject: packet: fix tp_reserve race in packet_set_ring
+Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
+
+Updates to tp_reserve can race with reads of the field in
+packet_set_ring. Avoid this by holding the socket lock during
+updates in setsockopt PACKET_RESERVE.
+
+This bug was discovered by syzkaller.
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3698,14 +3698,19 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
+- po->tp_reserve = val;
+- return 0;
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_reserve = val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_LOSS:
+ {
diff --git a/debian/patches/series b/debian/patches/series
index f750aba..0bea238 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,6 +137,7 @@ bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
bugfix/all/xfrm-policy-check-policy-direction-value.patch
+bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list