new file mode 100644

@@ -0,0 +1,115 @@

+KASAN has found use-after-free in sockfs_setattr.

+The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()

+and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore

+that crypto module forgets to set the sk to NULL after af_alg_release.

+

+KASAN report details as below:

+BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150

+Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186

+

+CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1

+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

+1.10.2-1ubuntu1 04/01/2014

+Call Trace:

+ dump_stack+0xca/0x13e

+ print_address_description+0x79/0x330

+ ? vprintk_func+0x5e/0xf0

+ kasan_report+0x18a/0x2e0

+ ? sockfs_setattr+0x120/0x150

+ sockfs_setattr+0x120/0x150

+ ? sock_register+0x2d0/0x2d0

+ notify_change+0x90c/0xd40

+ ? chown_common+0x2ef/0x510

+ chown_common+0x2ef/0x510

+ ? chmod_common+0x3b0/0x3b0

+ ? __lock_is_held+0xbc/0x160

+ ? __sb_start_write+0x13d/0x2b0

+ ? __mnt_want_write+0x19a/0x250

+ do_fchownat+0x15c/0x190

+ ? __ia32_sys_chmod+0x80/0x80

+ ? trace_hardirqs_on_thunk+0x1a/0x1c

+ __x64_sys_fchownat+0xbf/0x160

+ ? lockdep_hardirqs_on+0x39a/0x5e0

+ do_syscall_64+0xc8/0x580

+ entry_SYSCALL_64_after_hwframe+0x49/0xbe

+RIP: 0033:0x462589

+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89

+f7 48 89 d6 48 89

+ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3

+48 c7 c1 bc ff ff

+ff f7 d8 64 89 01 48

+RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104

+RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589

+RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007

+RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000

+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc

+R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff

+

+Allocated by task 4185:

+ kasan_kmalloc+0xa0/0xd0

+ __kmalloc+0x14a/0x350

+ sk_prot_alloc+0xf6/0x290

+ sk_alloc+0x3d/0xc00

+ af_alg_accept+0x9e/0x670

+ hash_accept+0x4a3/0x650

+ __sys_accept4+0x306/0x5c0

+ __x64_sys_accept4+0x98/0x100

+ do_syscall_64+0xc8/0x580

+ entry_SYSCALL_64_after_hwframe+0x49/0xbe

+

+Freed by task 4184:

+ __kasan_slab_free+0x12e/0x180

+ kfree+0xeb/0x2f0

+ __sk_destruct+0x4e6/0x6a0

+ sk_destruct+0x48/0x70

+ __sk_free+0xa9/0x270

+ sk_free+0x2a/0x30

+ af_alg_release+0x5c/0x70

+ __sock_release+0xd3/0x280

+ sock_close+0x1a/0x20

+ __fput+0x27f/0x7f0

+ task_work_run+0x136/0x1b0

+ exit_to_usermode_loop+0x1a7/0x1d0

+ do_syscall_64+0x461/0x580

+ entry_SYSCALL_64_after_hwframe+0x49/0xbe

+

+Syzkaller reproducer:

+r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,

+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,

+0xffffffffffffffff, 0x0)

+r1 = socket$alg(0x26, 0x5, 0x0)

+getrusage(0x0, 0x0)

+bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,

+'sha256-ssse3\x00'}, 0x80)

+r2 = accept(r1, 0x0, 0x0)

+r3 = accept4$unix(r2, 0x0, 0x0, 0x0)

+r4 = dup3(r3, r0, 0x0)

+fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)

+

+Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")

+Signed-off-by: Mao Wenan <maowenan@huawei.com>

+---

+ crypto/af_alg.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/crypto/af_alg.c b/crypto/af_alg.c

+index 17eb09d..ec78a04 100644

+--- a/crypto/af_alg.c

+@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)

+ 

+ int af_alg_release(struct socket *sock)

+ {

+-	if (sock->sk)

++	if (sock->sk) {

+ 		sock_put(sock->sk);

++		sock->sk = NULL;

++	}

+ 	return 0;

+ }

+ EXPORT_SYMBOL_GPL(af_alg_release);

+-- 

+2.7.4

+

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-aws

 Version:        4.9.154

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -61,7 +61,8 @@ Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch47:        0002-xfs-verify-dinode-header-first.patch

 Patch48:        0003-xfs-enhance-dinode-verifier.patch

-

+#Fix CVE-2019-8912

+Patch49:        fix_use_after_free_in_sockfs_setattr.patch

 # Out-of-tree patches from AppArmor:

 Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch

 Patch72: 0002-apparmor-Fix-quieting-of-audit-messages-for-network-.patch

@@ -225,6 +226,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch46 -p1

 %patch47 -p1

 %patch48 -p1

+%patch49 -p1

 %patch71 -p1

 %patch72 -p1

@@ -434,6 +436,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2

+-   Fix CVE-2019-8912

 *   Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1

 -   Update to version 4.9.154

 *   Tue Jan 15 2019 Alexey Makhalov <amakhalov@vmware.com> 4.9.140-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.154

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -57,6 +57,8 @@ Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch47:        0002-xfs-verify-dinode-header-first.patch

 Patch48:        0003-xfs-enhance-dinode-verifier.patch

+#Fix CVE-2019-8912

+Patch49:        fix_use_after_free_in_sockfs_setattr.patch

 BuildRequires: bc

 BuildRequires: kbd

@@ -132,7 +134,7 @@ The Linux package contains the Linux kernel doc files

 %patch46 -p1

 %patch47 -p1

 %patch48 -p1

-

+%patch49 -p1

 %build

@@ -227,6 +229,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2

+-   Fix CVE-2019-8912

 *   Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1

 -   Update to version 4.9.154

 *   Tue Jan 08 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.9.140-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.154

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -67,6 +67,8 @@ Patch47:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 Patch48:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch49:        0002-xfs-verify-dinode-header-first.patch

 Patch50:        0003-xfs-enhance-dinode-verifier.patch

+#Fix CVE-2019-8912

+Patch51:        fix_use_after_free_in_sockfs_setattr.patch

 # Out-of-tree patches from AppArmor:

 Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch

@@ -191,7 +193,7 @@ EOF

 %patch48 -p1

 %patch49 -p1

 %patch50 -p1

-

+%patch51 -p1

 %patch71 -p1

 %patch72 -p1

@@ -325,6 +327,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2

+-   Fix CVE-2019-8912

 *   Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1

 -   Update to version 4.9.154

 *   Tue Jan 15 2019 Alexey Makhalov <amakhalov@vmware.com> 4.9.140-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.154

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -74,12 +74,15 @@ Patch53:        0003_PCI_hv_Use_vPCI_protocol_version_1.2_v4.9.patch

 # HyperV PCI patches to solve IRQ no handler problem

 Patch54:        0004-PCI-hv-Use-effective-affinity-mask.patch

 Patch55:        0005-x86-irq-implement-irq_data_get_effective_affinity.patch

+#Fix CVE-2019-8912

+Patch56:        fix_use_after_free_in_sockfs_setattr.patch

 # Out-of-tree patches from AppArmor:

 Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch

 Patch72: 0002-apparmor-Fix-quieting-of-audit-messages-for-network-.patch

 Patch73: 0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch

+

 %if 0%{?kat_build:1}

 Patch1000:	%{kat_build}.patch

 %endif

@@ -197,6 +200,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch53 -p1

 %patch54 -p1

 %patch55 -p1

+%patch56 -p1

 %patch71 -p1

 %patch72 -p1

@@ -371,6 +375,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2

+-   Fix CVE-2019-8912

 *   Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1

 -   Update to version 4.9.154

 *   Wed Jan 23 2019 Ajay Kaher <akaher@vmware.com> 4.9.140-6