[linux] 05/07: packet: fix races in fanout_add() (CVE-2017-6346)

Tue Mar 7 02:36:44 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 0f32df084383e43df98d59a39db1f1ffd6d32b14
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Mar 7 02:17:09 2017 +0000

    packet: fix races in fanout_add() (CVE-2017-6346)
---
 debian/changelog                                   |  1 +
 .../all/packet-fix-races-in-fanout_add.patch       | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 74 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 29a5adc..cfb96c8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -80,6 +80,7 @@ linux (3.2.86-1) UNRELEASED; urgency=medium
   * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
   * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
   * net/llc: avoid BUG_ON() in skb_orphan() (CVE-2017-6345)
+  * packet: fix races in fanout_add() (CVE-2017-6346)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Tue, 07 Mar 2017 01:47:48 +0000
 
diff --git a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
new file mode 100644
index 0000000..f2e6404
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
@@ -0,0 +1,72 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Tue, 14 Feb 2017 09:03:51 -0800
+Subject: packet: fix races in fanout_add()
+Origin: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6346
+
+Multiple threads can call fanout_add() at the same time.
+
+We need to grab fanout_mutex earlier to avoid races that could
+lead to one thread freeing po->rollover that was set by another thread.
+
+Do the same in fanout_release(), for peace of mind, and to help us
+finding lockdep issues earlier.
+
+Fixes: dc99f600698d ("packet: Add fanout support.")
+Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2:
+ - No rollover queue stats
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1286,13 +1286,16 @@ static int fanout_add(struct sock *sk, u
+ 		return -EINVAL;
+ 	}
+ 
++	mutex_lock(&fanout_mutex);
++
++	err = -EINVAL;
+ 	if (!po->running)
+-		return -EINVAL;
++		goto out;
+ 
++	err = -EALREADY;
+ 	if (po->fanout)
+-		return -EALREADY;
++		goto out;
+ 
+-	mutex_lock(&fanout_mutex);
+ 	match = NULL;
+ 	list_for_each_entry(f, &fanout_list, list) {
+ 		if (f->id == id &&
+@@ -1348,17 +1351,16 @@ static void fanout_release(struct sock *
+ 	struct packet_sock *po = pkt_sk(sk);
+ 	struct packet_fanout *f;
+ 
++	mutex_lock(&fanout_mutex);
+ 	f = po->fanout;
+-	if (!f)
+-		return;
+-
+-	po->fanout = NULL;
++	if (f) {
++		po->fanout = NULL;
+ 
+-	mutex_lock(&fanout_mutex);
+-	if (atomic_dec_and_test(&f->sk_ref)) {
+-		list_del(&f->list);
+-		dev_remove_pack(&f->prot_hook);
+-		kfree(f);
++		if (atomic_dec_and_test(&f->sk_ref)) {
++			list_del(&f->list);
++			dev_remove_pack(&f->prot_hook);
++			kfree(f);
++		}
+ 	}
+ 	mutex_unlock(&fanout_mutex);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2f3eac8..3506891 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1109,6 +1109,7 @@ bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
 bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
 bugfix/all/sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch
 bugfix/all/net-llc-avoid-bug_on-in-skb_orphan.patch
+bugfix/all/packet-fix-races-in-fanout_add.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

