[linux] 01/01: packet: fix races in fanout_add() (CVE-2017-6346)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Mar 7 16:53:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit ff9712aae29b561ae61ad1ec358ed51a1f17ed6a
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Mar 7 17:48:25 2017 +0100
packet: fix races in fanout_add() (CVE-2017-6346)
---
debian/changelog | 1 +
.../all/packet-fix-races-in-fanout_add.patch | 72 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 74 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d0b4cf4..9e62ba5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ linux (3.16.39-1+deb8u2) UNRELEASED; urgency=medium
(CVE-2017-6353)
* tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
* net/llc: avoid BUG_ON() in skb_orphan() (CVE-2017-6345)
+ * packet: fix races in fanout_add() (CVE-2017-6346)
-- Salvatore Bonaccorso <carnil at debian.org> Tue, 07 Mar 2017 17:10:30 +0100
diff --git a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
new file mode 100644
index 0000000..864625c
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
@@ -0,0 +1,72 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Tue, 14 Feb 2017 09:03:51 -0800
+Subject: packet: fix races in fanout_add()
+Origin: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6346
+
+Multiple threads can call fanout_add() at the same time.
+
+We need to grab fanout_mutex earlier to avoid races that could
+lead to one thread freeing po->rollover that was set by another thread.
+
+Do the same in fanout_release(), for peace of mind, and to help us
+finding lockdep issues earlier.
+
+Fixes: dc99f600698d ("packet: Add fanout support.")
+Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.16:
+ - No rollover queue stats
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1451,13 +1451,16 @@ static int fanout_add(struct sock *sk, u
+ return -EINVAL;
+ }
+
++ mutex_lock(&fanout_mutex);
++
++ err = -EINVAL;
+ if (!po->running)
+- return -EINVAL;
++ goto out;
+
++ err = -EALREADY;
+ if (po->fanout)
+- return -EALREADY;
++ goto out;
+
+- mutex_lock(&fanout_mutex);
+ match = NULL;
+ list_for_each_entry(f, &fanout_list, list) {
+ if (f->id == id &&
+@@ -1513,17 +1516,16 @@ static void fanout_release(struct sock *
+ struct packet_sock *po = pkt_sk(sk);
+ struct packet_fanout *f;
+
+- f = po->fanout;
+- if (!f)
+- return;
+-
+ mutex_lock(&fanout_mutex);
+- po->fanout = NULL;
++ f = po->fanout;
++ if (f) {
++ po->fanout = NULL;
+
+- if (atomic_dec_and_test(&f->sk_ref)) {
+- list_del(&f->list);
+- dev_remove_pack(&f->prot_hook);
+- kfree(f);
++ if (atomic_dec_and_test(&f->sk_ref)) {
++ list_del(&f->list);
++ dev_remove_pack(&f->prot_hook);
++ kfree(f);
++ }
+ }
+ mutex_unlock(&fanout_mutex);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2b7ec57..2d95fa9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -698,6 +698,7 @@ bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch
+bugfix/all/packet-fix-races-in-fanout_add.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list