diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2016-02-13 00:03:31 +0000 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2016-02-13 00:23:18 +0000 |
| commit | 83fd76229dc4858d38336f994a032a2f317dc86d (patch) | |
| tree | 56ae25dc49cb996c9c4551b8d9eb08877f25bc74 | |
| parent | 1c28b9c3ed679bb8f46bd9ff0449bee8fafe0869 (diff) | |
| download | kernel_replicant_linux-83fd76229dc4858d38336f994a032a2f317dc86d.tar.gz kernel_replicant_linux-83fd76229dc4858d38336f994a032a2f317dc86d.tar.bz2 kernel_replicant_linux-83fd76229dc4858d38336f994a032a2f317dc86d.zip | |
af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 4.2.6-2)
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch | 40 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 43 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 592e06bcc4c7..18a50f8650e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ linux (4.4.1-1) UNRELEASED; urgency=medium * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812) * fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() (CVE-2016-0617) (regression in 4.3) + * af_unix: Guard against other == sk in unix_dgram_sendmsg + (regression in 4.2.6-2) -- Ben Hutchings <ben@decadent.org.uk> Fri, 12 Feb 2016 23:34:23 +0000 diff --git a/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch b/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch new file mode 100644 index 000000000000..c61eaf6be63d --- /dev/null +++ b/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch @@ -0,0 +1,40 @@ +From: Rainer Weikusat <rweikusat@mobileactivedefense.com> +Date: Thu, 11 Feb 2016 19:37:27 +0000 +Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg +Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com + +The unix_dgram_sendmsg routine use the following test + +if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + +to determine if sk and other are in an n:1 association (either +established via connect or by using sendto to send messages to an +unrelated socket identified by address). This isn't correct as the +specified address could have been bound to the sending socket itself or +because this socket could have been connected to itself by the time of +the unix_peer_get but disconnected before the unix_state_lock(other). In +both cases, the if-block would be entered despite other == sk which +might either block the sender unintentionally or lead to trying to unlock +the same spin lock twice for a non-blocking send. Add a other != sk +check to guard against this. + +Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") +Reported-By: Philipp Hahn <pmhahn@pmhahn.de> +Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> +--- +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1781,7 +1781,12 @@ restart_locked: + goto out_unlock; + } + +- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ /* other == sk && unix_peer(other) != sk if ++ * - unix_peer(sk) == NULL, destination address bound to sk ++ * - unix_peer(sk) == sk by time of get but disconnected before lock ++ */ ++ if (other != sk && ++ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + diff --git a/debian/patches/series b/debian/patches/series index 67785b41dc48..499c27d1fba4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,3 +119,4 @@ bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch bugfix/all/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch +bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch |