Applied upstream patch 84ac7260236a49c79eede91617700174c2c19b0c
("packet: fix race condition in packet_set_ring")
Change-Id: I22eb9e8dc6c2c9e9dcf1d508ab2b8fb2e713482a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1836
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.4.35 |
5 |
-Release: 3%{?dist} |
|
5 |
+Release: 4%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -35,6 +35,8 @@ Patch19: serial-8250-do-not-probe-U6-16550A-fifo-size.patch |
35 | 35 |
Patch20: vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch |
36 | 36 |
Patch21: vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch |
37 | 37 |
Patch22: net-9p-vsock.patch |
38 |
+#fixes CVE-2016-8655 |
|
39 |
+Patch23: net-packet-fix-race-condition-in-packet_set_ring.patch |
|
38 | 40 |
BuildRequires: bc |
39 | 41 |
BuildRequires: kbd |
40 | 42 |
BuildRequires: kmod |
... | ... |
@@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files |
93 | 93 |
%patch20 -p1 |
94 | 94 |
%patch21 -p1 |
95 | 95 |
%patch22 -p1 |
96 |
+%patch23 -p1 |
|
96 | 97 |
|
97 | 98 |
%build |
98 | 99 |
# patch vmw_balloon driver |
... | ... |
@@ -181,6 +184,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
181 | 181 |
/usr/src/linux-headers-%{uname_r} |
182 | 182 |
|
183 | 183 |
%changelog |
184 |
+* Thu Dec 8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-4 |
|
185 |
+- net-packet-fix-race-condition-in-packet_set_ring.patch |
|
186 |
+ to fix CVE-2016-8655 |
|
184 | 187 |
* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3 |
185 | 188 |
- Expand `uname -r` with release number |
186 | 189 |
- Compress modules |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.4.35 |
5 |
-Release: 2%{?dist} |
|
5 |
+Release: 3%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -30,6 +30,8 @@ Patch14: vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch |
30 | 30 |
#fixes CVE-2016-6187 |
31 | 31 |
Patch15: apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch |
32 | 32 |
Patch16: net-9p-vsock.patch |
33 |
+#fixes CVE-2016-8655 |
|
34 |
+Patch17: net-packet-fix-race-condition-in-packet_set_ring.patch |
|
33 | 35 |
BuildRequires: bc |
34 | 36 |
BuildRequires: kbd |
35 | 37 |
BuildRequires: kmod |
... | ... |
@@ -103,6 +105,7 @@ Kernel driver for oprofile, a statistical profiler for Linux systems |
103 | 103 |
%patch14 -p1 |
104 | 104 |
%patch15 -p1 |
105 | 105 |
%patch16 -p1 |
106 |
+%patch17 -p1 |
|
106 | 107 |
|
107 | 108 |
%build |
108 | 109 |
make mrproper |
... | ... |
@@ -223,6 +226,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
223 | 223 |
/lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ |
224 | 224 |
|
225 | 225 |
%changelog |
226 |
+* Thu Dec 8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3 |
|
227 |
+- net-packet-fix-race-condition-in-packet_set_ring.patch |
|
228 |
+ to fix CVE-2016-8655 |
|
226 | 229 |
* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-2 |
227 | 230 |
- Expand `uname -r` with release number |
228 | 231 |
- Check for build-id matching |
229 | 232 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,92 @@ |
0 |
+From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Philip Pettersson <philip.pettersson@gmail.com> |
|
2 |
+Date: Wed, 30 Nov 2016 14:55:36 -0800 |
|
3 |
+Subject: packet: fix race condition in packet_set_ring |
|
4 |
+ |
|
5 |
+When packet_set_ring creates a ring buffer it will initialize a |
|
6 |
+struct timer_list if the packet version is TPACKET_V3. This value |
|
7 |
+can then be raced by a different thread calling setsockopt to |
|
8 |
+set the version to TPACKET_V1 before packet_set_ring has finished. |
|
9 |
+ |
|
10 |
+This leads to a use-after-free on a function pointer in the |
|
11 |
+struct timer_list when the socket is closed as the previously |
|
12 |
+initialized timer will not be deleted. |
|
13 |
+ |
|
14 |
+The bug is fixed by taking lock_sock(sk) in packet_setsockopt when |
|
15 |
+changing the packet version while also taking the lock at the start |
|
16 |
+of packet_set_ring. |
|
17 |
+ |
|
18 |
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") |
|
19 |
+Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com> |
|
20 |
+Signed-off-by: Eric Dumazet <edumazet@google.com> |
|
21 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
22 |
+--- |
|
23 |
+ net/packet/af_packet.c | 18 ++++++++++++------ |
|
24 |
+ 1 file changed, 12 insertions(+), 6 deletions(-) |
|
25 |
+ |
|
26 |
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
|
27 |
+index d2238b2..dd23323 100644 |
|
28 |
+--- a/net/packet/af_packet.c |
|
29 |
+@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv |
|
30 |
+ |
|
31 |
+ if (optlen != sizeof(val)) |
|
32 |
+ return -EINVAL; |
|
33 |
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) |
|
34 |
+- return -EBUSY; |
|
35 |
+ if (copy_from_user(&val, optval, sizeof(val))) |
|
36 |
+ return -EFAULT; |
|
37 |
+ switch (val) { |
|
38 |
+ case TPACKET_V1: |
|
39 |
+ case TPACKET_V2: |
|
40 |
+ case TPACKET_V3: |
|
41 |
+- po->tp_version = val; |
|
42 |
+- return 0; |
|
43 |
++ break; |
|
44 |
+ default: |
|
45 |
+ return -EINVAL; |
|
46 |
+ } |
|
47 |
++ lock_sock(sk); |
|
48 |
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { |
|
49 |
++ ret = -EBUSY; |
|
50 |
++ } else { |
|
51 |
++ po->tp_version = val; |
|
52 |
++ ret = 0; |
|
53 |
++ } |
|
54 |
++ release_sock(sk); |
|
55 |
++ return ret; |
|
56 |
+ } |
|
57 |
+ case PACKET_RESERVE: |
|
58 |
+ { |
|
59 |
+@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
|
60 |
+ /* Added to avoid minimal code churn */ |
|
61 |
+ struct tpacket_req *req = &req_u->req; |
|
62 |
+ |
|
63 |
++ lock_sock(sk); |
|
64 |
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ |
|
65 |
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { |
|
66 |
+ WARN(1, "Tx-ring is not supported.\n"); |
|
67 |
+@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
|
68 |
+ goto out; |
|
69 |
+ } |
|
70 |
+ |
|
71 |
+- lock_sock(sk); |
|
72 |
+ |
|
73 |
+ /* Detach socket from network */ |
|
74 |
+ spin_lock(&po->bind_lock); |
|
75 |
+@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
|
76 |
+ if (!tx_ring) |
|
77 |
+ prb_shutdown_retire_blk_timer(po, rb_queue); |
|
78 |
+ } |
|
79 |
+- release_sock(sk); |
|
80 |
+ |
|
81 |
+ if (pg_vec) |
|
82 |
+ free_pg_vec(pg_vec, order, req->tp_block_nr); |
|
83 |
+ out: |
|
84 |
++ release_sock(sk); |
|
85 |
+ return err; |
|
86 |
+ } |
|
87 |
+ |
|
88 |
+-- |
|
89 |
+cgit v0.12 |
|
90 |
+ |