packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
This commit is contained in:
parent
dcdb404db7
commit
3b6247dba4
|
@ -257,6 +257,7 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
|
||||
* media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
|
||||
* packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
|
||||
|
||||
[ Uwe Kleine-König ]
|
||||
* [arm64] enable MMC_SDHCI_XENON and MVNETA for Espressobin and enable
|
||||
|
|
51
debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
vendored
Normal file
51
debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
vendored
Normal file
|
@ -0,0 +1,51 @@
|
|||
From: Willem de Bruijn <willemb@google.com>
|
||||
Date: Thu, 10 Aug 2017 12:41:58 -0400
|
||||
Subject: packet: fix tp_reserve race in packet_set_ring
|
||||
Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
|
||||
|
||||
Updates to tp_reserve can race with reads of the field in
|
||||
packet_set_ring. Avoid this by holding the socket lock during
|
||||
updates in setsockopt PACKET_RESERVE.
|
||||
|
||||
This bug was discovered by syzkaller.
|
||||
|
||||
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Willem de Bruijn <willemb@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/packet/af_packet.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
|
||||
index 0615c2a950fa..008a45ca3112 100644
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
|
||||
|
||||
if (optlen != sizeof(val))
|
||||
return -EINVAL;
|
||||
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
|
||||
- return -EBUSY;
|
||||
if (copy_from_user(&val, optval, sizeof(val)))
|
||||
return -EFAULT;
|
||||
if (val > INT_MAX)
|
||||
return -EINVAL;
|
||||
- po->tp_reserve = val;
|
||||
- return 0;
|
||||
+ lock_sock(sk);
|
||||
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
|
||||
+ ret = -EBUSY;
|
||||
+ } else {
|
||||
+ po->tp_reserve = val;
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ release_sock(sk);
|
||||
+ return ret;
|
||||
}
|
||||
case PACKET_LOSS:
|
||||
{
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||
bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch
|
||||
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
|
|
Loading…
Reference in New Issue