af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 4.2.6-2)
This commit is contained in:
parent
1c28b9c3ed
commit
83fd76229d
|
@ -3,6 +3,8 @@ linux (4.4.1-1) UNRELEASED; urgency=medium
|
|||
* iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
|
||||
* fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() (CVE-2016-0617)
|
||||
(regression in 4.3)
|
||||
* af_unix: Guard against other == sk in unix_dgram_sendmsg
|
||||
(regression in 4.2.6-2)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 12 Feb 2016 23:34:23 +0000
|
||||
|
||||
|
|
40
debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
vendored
Normal file
40
debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
vendored
Normal file
|
@ -0,0 +1,40 @@
|
|||
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
Date: Thu, 11 Feb 2016 19:37:27 +0000
|
||||
Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg
|
||||
Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com
|
||||
|
||||
The unix_dgram_sendmsg routine use the following test
|
||||
|
||||
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
|
||||
to determine if sk and other are in an n:1 association (either
|
||||
established via connect or by using sendto to send messages to an
|
||||
unrelated socket identified by address). This isn't correct as the
|
||||
specified address could have been bound to the sending socket itself or
|
||||
because this socket could have been connected to itself by the time of
|
||||
the unix_peer_get but disconnected before the unix_state_lock(other). In
|
||||
both cases, the if-block would be entered despite other == sk which
|
||||
might either block the sender unintentionally or lead to trying to unlock
|
||||
the same spin lock twice for a non-blocking send. Add a other != sk
|
||||
check to guard against this.
|
||||
|
||||
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
|
||||
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
|
||||
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
---
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1781,7 +1781,12 @@ restart_locked:
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
+ /* other == sk && unix_peer(other) != sk if
|
||||
+ * - unix_peer(sk) == NULL, destination address bound to sk
|
||||
+ * - unix_peer(sk) == sk by time of get but disconnected before lock
|
||||
+ */
|
||||
+ if (other != sk &&
|
||||
+ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
if (timeo) {
|
||||
timeo = unix_wait_for_peer(other, timeo);
|
||||
|
|
@ -119,3 +119,4 @@ bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
|
|||
bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
|
||||
bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
|
||||
bugfix/all/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
|
||||
|
|
Loading…
Reference in New Issue