From: Matthias Schiffer Date: Tue, 11 Oct 2016 00:46:56 +0200 Subject: kernel: add fix for CVE-2016-7117 diff --git a/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch new file mode 100644 index 0000000..98da375 --- /dev/null +++ b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch @@ -0,0 +1,95 @@ +From cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b Mon Sep 17 00:00:00 2001 +Message-Id: +From: Arnaldo Carvalho de Melo +Date: Mon, 14 Mar 2016 09:56:35 -0300 +Subject: [PATCH] net: Fix use after free in the recvmmsg exit path + +[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ] + +The syzkaller fuzzer hit the following use-after-free: + + Call Trace: + [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 + [] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 + [< inline >] SYSC_recvmmsg net/socket.c:2281 + [] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 + [] entry_SYSCALL_64_fastpath+0x16/0x7a + arch/x86/entry/entry_64.S:185 + +And, as Dmitry rightly assessed, that is because we can drop the +reference and then touch it when the underlying recvmsg calls return +some packets and then hit an error, which will make recvmmsg to set +sock->sk->sk_err, oops, fix it. + +Reported-and-Tested-by: Dmitry Vyukov +Cc: Alexander Potapenko +Cc: Eric Dumazet +Cc: Kostya Serebryany +Cc: Sasha Levin +Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") +http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index 02fc7c8..7f61789 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2410,31 +2410,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + break; + } + +-out_put: +- fput_light(sock->file, fput_needed); +- + if (err == 0) +- return datagrams; ++ goto out_put; + +- if (datagrams != 0) { ++ if (datagrams == 0) { ++ datagrams = err; ++ goto out_put; ++ } ++ ++ /* ++ * We may return less entries than requested (vlen) if the ++ * sock is non block and there aren't enough datagrams... ++ */ ++ if (err != -EAGAIN) { + /* +- * We may return less entries than requested (vlen) if the +- * sock is non block and there aren't enough datagrams... ++ * ... or if recvmsg returns an error after we ++ * received some datagrams, where we record the ++ * error to return on the next call or if the ++ * app asks about it using getsockopt(SO_ERROR). + */ +- if (err != -EAGAIN) { +- /* +- * ... or if recvmsg returns an error after we +- * received some datagrams, where we record the +- * error to return on the next call or if the +- * app asks about it using getsockopt(SO_ERROR). +- */ +- sock->sk->sk_err = -err; +- } +- +- return datagrams; ++ sock->sk->sk_err = -err; + } ++out_put: ++ fput_light(sock->file, fput_needed); + +- return err; ++ return datagrams; + } + + SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, +-- +2.10.0 +