[linux] 02/03: packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Aug 17 23:59:40 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch stretch-security
in repository linux.

commit cad5bfad77a5c4f82896ac31853c18ddba5150ca
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 23:05:38 2017 +0100

    packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
---
 debian/changelog                                   |  1 +
 ...et-fix-tp_reserve-race-in-packet_set_ring.patch | 46 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 48 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f6e4719..8a73185 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
   * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
     (CVE-2017-1000380)
   * xfrm: policy: check policy direction value (CVE-2017-11600)
+  * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 06 Aug 2017 15:21:20 +0100
 
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
new file mode 100644
index 0000000..f2637f4
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
@@ -0,0 +1,46 @@
+From: Willem de Bruijn <willemb at google.com>
+Date: Thu, 10 Aug 2017 12:41:58 -0400
+Subject: packet: fix tp_reserve race in packet_set_ring
+Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
+
+Updates to tp_reserve can race with reads of the field in
+packet_set_ring. Avoid this by holding the socket lock during
+updates in setsockopt PACKET_RESERVE.
+
+This bug was discovered by syzkaller.
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3698,14 +3698,19 @@ packet_setsockopt(struct socket *sock, i
+ 
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		if (val > INT_MAX)
+ 			return -EINVAL;
+-		po->tp_reserve = val;
+-		return 0;
++		lock_sock(sk);
++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++			ret = -EBUSY;
++		} else {
++			po->tp_reserve = val;
++			ret = 0;
++		}
++		release_sock(sk);
++		return ret;
+ 	}
+ 	case PACKET_LOSS:
+ 	{
diff --git a/debian/patches/series b/debian/patches/series
index f750aba..0bea238 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,6 +137,7 @@ bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
 bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
 bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
 bugfix/all/xfrm-policy-check-policy-direction-value.patch
+bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list