packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
This commit is contained in:
parent
dcdb404db7
commit
3b6247dba4
|
@ -257,6 +257,7 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
||||||
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
||||||
|
* packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
|
||||||
|
|
||||||
[ Uwe Kleine-König ]
|
[ Uwe Kleine-König ]
|
||||||
* [arm64] enable MMC_SDHCI_XENON and MVNETA for Espressobin and enable
|
* [arm64] enable MMC_SDHCI_XENON and MVNETA for Espressobin and enable
|
||||||
|
|
51
debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
vendored
Normal file
51
debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
vendored
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
From: Willem de Bruijn <willemb@google.com>
|
||||||
|
Date: Thu, 10 Aug 2017 12:41:58 -0400
|
||||||
|
Subject: packet: fix tp_reserve race in packet_set_ring
|
||||||
|
Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
|
||||||
|
|
||||||
|
Updates to tp_reserve can race with reads of the field in
|
||||||
|
packet_set_ring. Avoid this by holding the socket lock during
|
||||||
|
updates in setsockopt PACKET_RESERVE.
|
||||||
|
|
||||||
|
This bug was discovered by syzkaller.
|
||||||
|
|
||||||
|
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
|
||||||
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||||
|
Signed-off-by: Willem de Bruijn <willemb@google.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/packet/af_packet.c | 13 +++++++++----
|
||||||
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
|
||||||
|
index 0615c2a950fa..008a45ca3112 100644
|
||||||
|
--- a/net/packet/af_packet.c
|
||||||
|
+++ b/net/packet/af_packet.c
|
||||||
|
@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
|
||||||
|
|
||||||
|
if (optlen != sizeof(val))
|
||||||
|
return -EINVAL;
|
||||||
|
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
|
||||||
|
- return -EBUSY;
|
||||||
|
if (copy_from_user(&val, optval, sizeof(val)))
|
||||||
|
return -EFAULT;
|
||||||
|
if (val > INT_MAX)
|
||||||
|
return -EINVAL;
|
||||||
|
- po->tp_reserve = val;
|
||||||
|
- return 0;
|
||||||
|
+ lock_sock(sk);
|
||||||
|
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
|
||||||
|
+ ret = -EBUSY;
|
||||||
|
+ } else {
|
||||||
|
+ po->tp_reserve = val;
|
||||||
|
+ ret = 0;
|
||||||
|
+ }
|
||||||
|
+ release_sock(sk);
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
case PACKET_LOSS:
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||||
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
|
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
|
||||||
|
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
|
|
Loading…
Reference in New Issue