af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 4.2.6-2)

2016-02-13 00:03:31 +00:00 · 2016-02-13 00:03:31 +00:00 · 83fd76229d
parent 1c28b9c3ed
commit 83fd76229d
3 changed files with 43 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -3,6 +3,8 @@ linux (4.4.1-1) UNRELEASED; urgency=medium
  * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
  * fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() (CVE-2016-0617)
    (regression in 4.3)
+  * af_unix: Guard against other == sk in unix_dgram_sendmsg
+    (regression in 4.2.6-2)

 -- Ben Hutchings <ben@decadent.org.uk>  Fri, 12 Feb 2016 23:34:23 +0000

--- a/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
+++ b/debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
@ -0,0 +1,40 @@
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Thu, 11 Feb 2016 19:37:27 +0000
+Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg
+Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com
+
+The unix_dgram_sendmsg routine use the following test
+
+if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+
+to determine if sk and other are in an n:1 association (either
+established via connect or by using sendto to send messages to an
+unrelated socket identified by address). This isn't correct as the
+specified address could have been bound to the sending socket itself or
+because this socket could have been connected to itself by the time of
+the unix_peer_get but disconnected before the unix_state_lock(other). In
+both cases, the if-block would be entered despite other == sk which
+might either block the sender unintentionally or lead to trying to unlock
+the same spin lock twice for a non-blocking send. Add a other != sk
+check to guard against this.
+
+Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
+Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+---
+--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
+@@ -1781,7 +1781,12 @@ restart_locked:
+ 			goto out_unlock;
+ 	}
+ 
+-	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+	/* other == sk && unix_peer(other) != sk if
+	 * - unix_peer(sk) == NULL, destination address bound to sk
+	 * - unix_peer(sk) == sk by time of get but disconnected before lock
+	 */
+	if (other != sk &&
+	    unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ 		if (timeo) {
+ 			timeo = unix_wait_for_peer(other, timeo);
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@ -119,3 +119,4 @@ bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
 bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
 bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
 bugfix/all/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
+bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch