[linux] 05/07: mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jul 28 08:16:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 88a396dacd50d674ae2a669c04b28146dfe3cc34
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Jul 28 09:09:25 2017 +0200
mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
---
debian/changelog | 1 +
...eue-fix-a-use-after-free-in-sys_mq_notify.patch | 50 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 52 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f37d940..dc4aff5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
* [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889)
* [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
* xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
+ * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
-- Salvatore Bonaccorso <carnil at debian.org> Thu, 27 Jul 2017 22:02:24 +0200
diff --git a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
new file mode 100644
index 0000000..109dc1a
--- /dev/null
+++ b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
@@ -0,0 +1,50 @@
+From: Cong Wang <xiyou.wangcong at gmail.com>
+Date: Sun, 9 Jul 2017 13:19:55 -0700
+Subject: mqueue: fix a use-after-free in sys_mq_notify()
+Origin: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11176
+
+The retry logic for netlink_attachskb() inside sys_mq_notify()
+is nasty and vulnerable:
+
+1) The sock refcnt is already released when retry is needed
+2) The fd is controllable by user-space because we already
+ release the file refcnt
+
+so we when retry but the fd has been just closed by user-space
+during this small window, we end up calling netlink_detachskb()
+on the error path which releases the sock again, later when
+the user-space closes this socket a use-after-free could be
+triggered.
+
+Setting 'sock' to NULL here should be sufficient to fix it.
+
+Reported-by: GeneBlue <geneblue.mail at gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: stable at kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ ipc/mqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index c9ff943f19ab..eb1391b52c6f 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -1270,8 +1270,10 @@ static int do_mq_notify(mqd_t mqdes, const struct sigevent *notification)
+
+ timeo = MAX_SCHEDULE_TIMEOUT;
+ ret = netlink_attachskb(sock, nc, &timeo, NULL);
+- if (ret == 1)
++ if (ret == 1) {
++ sock = NULL;
+ goto retry;
++ }
+ if (ret) {
+ sock = NULL;
+ nc = NULL;
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 75e403e..faddea5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -720,6 +720,7 @@ bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
+bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list