diff options
Diffstat (limited to 'meta-snowyowl/recipes-kernel/linux/files/0183-mqueue-fix-a-use-after-free-in-sys_mq_notify.patch')
| -rwxr-xr-x | meta-snowyowl/recipes-kernel/linux/files/0183-mqueue-fix-a-use-after-free-in-sys_mq_notify.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta-snowyowl/recipes-kernel/linux/files/0183-mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/meta-snowyowl/recipes-kernel/linux/files/0183-mqueue-fix-a-use-after-free-in-sys_mq_notify.patch new file mode 100755 index 00000000..8e6f87ea --- /dev/null +++ b/meta-snowyowl/recipes-kernel/linux/files/0183-mqueue-fix-a-use-after-free-in-sys_mq_notify.patch @@ -0,0 +1,52 @@ +From 9e08c00a65d1228febf7e9b221b5c923e14705f6 Mon Sep 17 00:00:00 2001 +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Sun, 9 Jul 2017 13:19:55 -0700 +Subject: [PATCH 049/331] mqueue: fix a use-after-free in sys_mq_notify() + +commit f991af3daabaecff34684fd51fac80319d1baad1 upstream. + +The retry logic for netlink_attachskb() inside sys_mq_notify() +is nasty and vulnerable: + +1) The sock refcnt is already released when retry is needed +2) The fd is controllable by user-space because we already + release the file refcnt + +so we when retry but the fd has been just closed by user-space +during this small window, we end up calling netlink_detachskb() +on the error path which releases the sock again, later when +the user-space closes this socket a use-after-free could be +triggered. + +Setting 'sock' to NULL here should be sufficient to fix it. + +Reported-by: GeneBlue <geneblue.mail@gmail.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Manfred Spraul <manfred@colorfullife.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com> +--- + ipc/mqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 8cbd6e6..28a142f 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1249,8 +1249,10 @@ SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes, + + timeo = MAX_SCHEDULE_TIMEOUT; + ret = netlink_attachskb(sock, nc, &timeo, NULL); +- if (ret == 1) ++ if (ret == 1) { ++ sock = NULL; + goto retry; ++ } + if (ret) { + sock = NULL; + nc = NULL; +-- +2.7.4 + |