From 9934d254dadbda3ac89e0842669a65109788ae92 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Tue, 11 Oct 2016 00:47:36 +0200 Subject: [PATCH] kernel: add fix for CVE-2016-7117 This probably doesn't affect Gluon as nothing is using recvmmsg, but it's still a good idea to get this fixed ASAP. --- ...076-kernel-add-fix-for-CVE-2016-7117.patch | 105 ++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 patches/openwrt/0076-kernel-add-fix-for-CVE-2016-7117.patch diff --git a/patches/openwrt/0076-kernel-add-fix-for-CVE-2016-7117.patch b/patches/openwrt/0076-kernel-add-fix-for-CVE-2016-7117.patch new file mode 100644 index 00000000..18e6c238 --- /dev/null +++ b/patches/openwrt/0076-kernel-add-fix-for-CVE-2016-7117.patch @@ -0,0 +1,105 @@ +From: Matthias Schiffer +Date: Tue, 11 Oct 2016 00:46:56 +0200 +Subject: kernel: add fix for CVE-2016-7117 + +diff --git a/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch +new file mode 100644 +index 0000000..98da375 +--- /dev/null ++++ b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch +@@ -0,0 +1,95 @@ ++From cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b Mon Sep 17 00:00:00 2001 ++Message-Id: ++From: Arnaldo Carvalho de Melo ++Date: Mon, 14 Mar 2016 09:56:35 -0300 ++Subject: [PATCH] net: Fix use after free in the recvmmsg exit path ++ ++[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ] ++ ++The syzkaller fuzzer hit the following use-after-free: ++ ++ Call Trace: ++ [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 ++ [] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 ++ [< inline >] SYSC_recvmmsg net/socket.c:2281 ++ [] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 ++ [] entry_SYSCALL_64_fastpath+0x16/0x7a ++ arch/x86/entry/entry_64.S:185 ++ ++And, as Dmitry rightly assessed, that is because we can drop the ++reference and then touch it when the underlying recvmsg calls return ++some packets and then hit an error, which will make recvmmsg to set ++sock->sk->sk_err, oops, fix it. ++ ++Reported-and-Tested-by: Dmitry Vyukov ++Cc: Alexander Potapenko ++Cc: Eric Dumazet ++Cc: Kostya Serebryany ++Cc: Sasha Levin ++Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") ++http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com ++Signed-off-by: Arnaldo Carvalho de Melo ++Signed-off-by: David S. Miller ++Signed-off-by: Sasha Levin ++--- ++ net/socket.c | 38 +++++++++++++++++++------------------- ++ 1 file changed, 19 insertions(+), 19 deletions(-) ++ ++diff --git a/net/socket.c b/net/socket.c ++index 02fc7c8..7f61789 100644 ++--- a/net/socket.c +++++ b/net/socket.c ++@@ -2410,31 +2410,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, ++ break; ++ } ++ ++-out_put: ++- fput_light(sock->file, fput_needed); ++- ++ if (err == 0) ++- return datagrams; +++ goto out_put; ++ ++- if (datagrams != 0) { +++ if (datagrams == 0) { +++ datagrams = err; +++ goto out_put; +++ } +++ +++ /* +++ * We may return less entries than requested (vlen) if the +++ * sock is non block and there aren't enough datagrams... +++ */ +++ if (err != -EAGAIN) { ++ /* ++- * We may return less entries than requested (vlen) if the ++- * sock is non block and there aren't enough datagrams... +++ * ... or if recvmsg returns an error after we +++ * received some datagrams, where we record the +++ * error to return on the next call or if the +++ * app asks about it using getsockopt(SO_ERROR). ++ */ ++- if (err != -EAGAIN) { ++- /* ++- * ... or if recvmsg returns an error after we ++- * received some datagrams, where we record the ++- * error to return on the next call or if the ++- * app asks about it using getsockopt(SO_ERROR). ++- */ ++- sock->sk->sk_err = -err; ++- } ++- ++- return datagrams; +++ sock->sk->sk_err = -err; ++ } +++out_put: +++ fput_light(sock->file, fput_needed); ++ ++- return err; +++ return datagrams; ++ } ++ ++ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, ++-- ++2.10.0 ++