@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.4.35

-Release:       3%{?dist}

+Release:       4%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -35,6 +35,8 @@ Patch19:       serial-8250-do-not-probe-U6-16550A-fifo-size.patch

 Patch20:       vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch

 Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

 Patch22:       net-9p-vsock.patch

+#fixes CVE-2016-8655

+Patch23:       net-packet-fix-race-condition-in-packet_set_ring.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files

 %patch20 -p1

 %patch21 -p1

 %patch22 -p1

+%patch23 -p1

 %build

 # patch vmw_balloon driver

@@ -181,6 +184,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-4

+-   net-packet-fix-race-condition-in-packet_set_ring.patch

+    to fix CVE-2016-8655

 *   Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3

 -   Expand `uname -r` with release number

 -   Compress modules

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:    	4.4.35

-Release:    	2%{?dist}

+Release:    	3%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -30,6 +30,8 @@ Patch14:        vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch

 #fixes CVE-2016-6187

 Patch15:        apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch

 Patch16:        net-9p-vsock.patch

+#fixes CVE-2016-8655

+Patch17:       net-packet-fix-race-condition-in-packet_set_ring.patch

 BuildRequires:  bc

 BuildRequires:  kbd

 BuildRequires:  kmod

@@ -103,6 +105,7 @@ Kernel driver for oprofile, a statistical profiler for Linux systems

 %patch14 -p1

 %patch15 -p1

 %patch16 -p1

+%patch17 -p1

 %build

 make mrproper

@@ -223,6 +226,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/

 %changelog

+*   Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3

+-   net-packet-fix-race-condition-in-packet_set_ring.patch

+    to fix CVE-2016-8655

 *   Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-2

 -   Expand `uname -r` with release number

 -   Check for build-id matching

new file mode 100644

@@ -0,0 +1,92 @@

+From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001

+From: Philip Pettersson <philip.pettersson@gmail.com>

+Date: Wed, 30 Nov 2016 14:55:36 -0800

+Subject: packet: fix race condition in packet_set_ring

+

+When packet_set_ring creates a ring buffer it will initialize a

+struct timer_list if the packet version is TPACKET_V3. This value

+can then be raced by a different thread calling setsockopt to

+set the version to TPACKET_V1 before packet_set_ring has finished.

+

+This leads to a use-after-free on a function pointer in the

+struct timer_list when the socket is closed as the previously

+initialized timer will not be deleted.

+

+The bug is fixed by taking lock_sock(sk) in packet_setsockopt when

+changing the packet version while also taking the lock at the start

+of packet_set_ring.

+

+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")

+Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>

+Signed-off-by: Eric Dumazet <edumazet@google.com>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+---

+ net/packet/af_packet.c | 18 ++++++++++++------

+ 1 file changed, 12 insertions(+), 6 deletions(-)

+

+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c

+index d2238b2..dd23323 100644

+--- a/net/packet/af_packet.c

+@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv

+ 

+ 		if (optlen != sizeof(val))

+ 			return -EINVAL;

+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)

+-			return -EBUSY;

+ 		if (copy_from_user(&val, optval, sizeof(val)))

+ 			return -EFAULT;

+ 		switch (val) {

+ 		case TPACKET_V1:

+ 		case TPACKET_V2:

+ 		case TPACKET_V3:

+-			po->tp_version = val;

+-			return 0;

++			break;

+ 		default:

+ 			return -EINVAL;

+ 		}

++		lock_sock(sk);

++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {

++			ret = -EBUSY;

++		} else {

++			po->tp_version = val;

++			ret = 0;

++		}

++		release_sock(sk);

++		return ret;

+ 	}

+ 	case PACKET_RESERVE:

+ 	{

+@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,

+ 	/* Added to avoid minimal code churn */

+ 	struct tpacket_req *req = &req_u->req;

+ 

++	lock_sock(sk);

+ 	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */

+ 	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {

+ 		WARN(1, "Tx-ring is not supported.\n");

+@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,

+ 			goto out;

+ 	}

+ 

+-	lock_sock(sk);

+ 

+ 	/* Detach socket from network */

+ 	spin_lock(&po->bind_lock);

+@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,

+ 		if (!tx_ring)

+ 			prb_shutdown_retire_blk_timer(po, rb_queue);

+ 	}

+-	release_sock(sk);

+ 

+ 	if (pg_vec)

+ 		free_pg_vec(pg_vec, order, req->tp_block_nr);

+ out:

++	release_sock(sk);

+ 	return err;

+ }

+ 

+-- 

+cgit v0.12

+