net: CVE-2019-11815

net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). References: https://nvd.nist.gov/vuln/detail/CVE-2019-11815 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=a1aa69beac4d88dfb892a95ee04fe6f932803952 Change-Id: Idd83d9a8e84f1560a660dc028d6fc191efad8927 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 14:49:36 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 11:00:08 +0200
commit: 76aa6326232ccf2250cc2981fce1715613b071c8 (patch)
tree: 907a2ae57ee54de915a57a213b50d89f9dd8413b
parent: ecdba6d66029ed38ea9711953b9b47e785fa38b7 (diff)
download: enea-kernel-cache-76aa6326232ccf2250cc2981fce1715613b071c8.tar.gz
2 files changed, 155 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 771e9b7..6259efc 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -72,3 +72,6 @@ patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
 #CVEs fixed in 4.9.163:
 patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
+#CVEs fixed in 4.9.169:
+patch CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
diff --git a/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
new file mode 100644
index 0000000..aba1d1c
--- /dev/null
+++ b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
@@ -0,0 +1,152 @@
+From a1aa69beac4d88dfb892a95ee04fe6f932803952 Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Thu, 28 Mar 2019 17:10:56 +0800
+Subject: [PATCH] net: rds: force to destroy connection if t_sock is NULL in
+ rds_tcp_kill_sock().
+[ Upstream commit cb66ddd156203daefb8d71158036b27b0e2caf63 ]
+When it is to cleanup net namespace, rds_tcp_exit_net() will call
+rds_tcp_kill_sock(), if t_sock is NULL, it will not call
+rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
+connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
+net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
+and reference 'net' which has already been freed.
+In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
+sock->ops->connect, but if connect() is failed, it will call
+rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
+failed, rds_connect_worker() will try to reconnect all the time, so
+rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
+connections.
+Therefore, the condition !tc->t_sock is not needed if it is going to do
+cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
+NULL, and there is on other path to cancel cp_conn_w and free
+connection. So this patch is to fix this.
+rds_tcp_kill_sock():
+...
+if (net != c_net || !tc->t_sock)
+...
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+==================================================================
+BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
+net/ipv4/af_inet.c:340
+Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
+CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
+Hardware name: linux,dummy-virt (DT)
+Workqueue: krdsd rds_connect_worker
+Call trace:
+ dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
+ show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x120/0x188 lib/dump_stack.c:113
+ print_address_description+0x68/0x278 mm/kasan/report.c:253
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x21c/0x348 mm/kasan/report.c:409
+ __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
+ inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
+ __sock_create+0x4f8/0x770 net/socket.c:1276
+ sock_create_kern+0x50/0x68 net/socket.c:1322
+ rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
+ rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
+ process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
+ worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
+ kthread+0x2f0/0x378 kernel/kthread.c:255
+ ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
+Allocated by task 687:
+ save_stack mm/kasan/kasan.c:448 [inline]
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
+ slab_post_alloc_hook mm/slab.h:444 [inline]
+ slab_alloc_node mm/slub.c:2705 [inline]
+ slab_alloc mm/slub.c:2713 [inline]
+ kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
+ kmem_cache_zalloc include/linux/slab.h:697 [inline]
+ net_alloc net/core/net_namespace.c:384 [inline]
+ copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
+ create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
+ unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
+ ksys_unshare+0x340/0x628 kernel/fork.c:2577
+ __do_sys_unshare kernel/fork.c:2645 [inline]
+ __se_sys_unshare kernel/fork.c:2643 [inline]
+ __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
+ el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
+ el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
+ el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
+Freed by task 264:
+ save_stack mm/kasan/kasan.c:448 [inline]
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
+ kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
+ slab_free_hook mm/slub.c:1370 [inline]
+ slab_free_freelist_hook mm/slub.c:1397 [inline]
+ slab_free mm/slub.c:2952 [inline]
+ kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
+ net_free net/core/net_namespace.c:400 [inline]
+ net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
+ net_drop_ns net/core/net_namespace.c:406 [inline]
+ cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
+ process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
+ worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
+ kthread+0x2f0/0x378 kernel/kthread.c:255
+ ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
+The buggy address belongs to the object at ffff8003496a3f80
+ which belongs to the cache net_namespace of size 7872
+The buggy address is located 1796 bytes inside of
+ 7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
+The buggy address belongs to the page:
+page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
+index:0x0 compound_mapcount: 0
+flags: 0xffffe0000008100(slab|head)
+raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
+raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+Memory state around the buggy address:
+ ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                   ^
+ ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+CVE: CVE-2019-11815
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=a1aa69beac4d88dfb892a95ee04fe6f932803952]
+Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/rds/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/net/rds/tcp.c b/net/rds/tcp.c
+index d36effbf7614..2daba5316caa 100644
+--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
+@@ -527,7 +527,7 @@ static void rds_tcp_kill_sock(struct net *net)
+        list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
+                struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+ 
+-               if (net != c_net || !tc->t_sock)
+               if (net != c_net)
+                        continue;
+                if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
+                        list_move_tail(&tc->t_tcp_node, &tmp_list);
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 14:49:36 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 11:00:08 +0200
commit	76aa6326232ccf2250cc2981fce1715613b071c8 (patch)
tree	907a2ae57ee54de915a57a213b50d89f9dd8413b
parent	ecdba6d66029ed38ea9711953b9b47e785fa38b7 (diff)
download	enea-kernel-cache-76aa6326232ccf2250cc2981fce1715613b071c8.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 771e9b7..6259efc 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -72,3 +72,6 @@ patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
72		72
73	#CVEs fixed in 4.9.163:	73	#CVEs fixed in 4.9.163:
74	patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch	74	patch CVE-2019-8980-exec-Fix-mem-leak-in-kernel_read_file.patch
		75
		76	#CVEs fixed in 4.9.169:
		77	patch CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch


diff --git a/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch new file mode 100644 index 0000000..aba1d1c --- /dev/null +++ b/patches/cve/CVE-2019-11815-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
@@ -0,0 +1,152 @@
		1	From a1aa69beac4d88dfb892a95ee04fe6f932803952 Mon Sep 17 00:00:00 2001
		2	From: Mao Wenan <maowenan@huawei.com>
		3	Date: Thu, 28 Mar 2019 17:10:56 +0800
		4	Subject: [PATCH] net: rds: force to destroy connection if t_sock is NULL in
		5	rds_tcp_kill_sock().
		6
		7	[ Upstream commit cb66ddd156203daefb8d71158036b27b0e2caf63 ]
		8
		9	When it is to cleanup net namespace, rds_tcp_exit_net() will call
		10	rds_tcp_kill_sock(), if t_sock is NULL, it will not call
		11	rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
		12	connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
		13	net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
		14	and reference 'net' which has already been freed.
		15
		16	In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
		17	sock->ops->connect, but if connect() is failed, it will call
		18	rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
		19	failed, rds_connect_worker() will try to reconnect all the time, so
		20	rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
		21	connections.
		22
		23	Therefore, the condition !tc->t_sock is not needed if it is going to do
		24	cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
		25	NULL, and there is on other path to cancel cp_conn_w and free
		26	connection. So this patch is to fix this.
		27
		28	rds_tcp_kill_sock():
		29	...
		30	if (net != c_net \|\| !tc->t_sock)
		31	...
		32	Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
		33
		34	==================================================================
		35	BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
		36	net/ipv4/af_inet.c:340
		37	Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
		38
		39	CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
		40	Hardware name: linux,dummy-virt (DT)
		41	Workqueue: krdsd rds_connect_worker
		42	Call trace:
		43	dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
		44	show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
		45	__dump_stack lib/dump_stack.c:77 [inline]
		46	dump_stack+0x120/0x188 lib/dump_stack.c:113
		47	print_address_description+0x68/0x278 mm/kasan/report.c:253
		48	kasan_report_error mm/kasan/report.c:351 [inline]
		49	kasan_report+0x21c/0x348 mm/kasan/report.c:409
		50	__asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
		51	inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
		52	__sock_create+0x4f8/0x770 net/socket.c:1276
		53	sock_create_kern+0x50/0x68 net/socket.c:1322
		54	rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
		55	rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
		56	process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
		57	worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
		58	kthread+0x2f0/0x378 kernel/kthread.c:255
		59	ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
		60
		61	Allocated by task 687:
		62	save_stack mm/kasan/kasan.c:448 [inline]
		63	set_track mm/kasan/kasan.c:460 [inline]
		64	kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
		65	kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
		66	slab_post_alloc_hook mm/slab.h:444 [inline]
		67	slab_alloc_node mm/slub.c:2705 [inline]
		68	slab_alloc mm/slub.c:2713 [inline]
		69	kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
		70	kmem_cache_zalloc include/linux/slab.h:697 [inline]
		71	net_alloc net/core/net_namespace.c:384 [inline]
		72	copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
		73	create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
		74	unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
		75	ksys_unshare+0x340/0x628 kernel/fork.c:2577
		76	__do_sys_unshare kernel/fork.c:2645 [inline]
		77	__se_sys_unshare kernel/fork.c:2643 [inline]
		78	__arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
		79	__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
		80	invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
		81	el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
		82	el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
		83	el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
		84
		85	Freed by task 264:
		86	save_stack mm/kasan/kasan.c:448 [inline]
		87	set_track mm/kasan/kasan.c:460 [inline]
		88	__kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
		89	kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
		90	slab_free_hook mm/slub.c:1370 [inline]
		91	slab_free_freelist_hook mm/slub.c:1397 [inline]
		92	slab_free mm/slub.c:2952 [inline]
		93	kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
		94	net_free net/core/net_namespace.c:400 [inline]
		95	net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
		96	net_drop_ns net/core/net_namespace.c:406 [inline]
		97	cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
		98	process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
		99	worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
		100	kthread+0x2f0/0x378 kernel/kthread.c:255
		101	ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
		102
		103	The buggy address belongs to the object at ffff8003496a3f80
		104	which belongs to the cache net_namespace of size 7872
		105	The buggy address is located 1796 bytes inside of
		106	7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
		107	The buggy address belongs to the page:
		108	page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
		109	index:0x0 compound_mapcount: 0
		110	flags: 0xffffe0000008100(slab\|head)
		111	raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
		112	raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
		113	page dumped because: kasan: bad access detected
		114
		115	Memory state around the buggy address:
		116	ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		117	ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		118	>ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		119	^
		120	ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		121	ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		122	==================================================================
		123
		124	CVE: CVE-2019-11815
		125	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=a1aa69beac4d88dfb892a95ee04fe6f932803952]
		126
		127	Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
		128	Reported-by: Hulk Robot <hulkci@huawei.com>
		129	Signed-off-by: Mao Wenan <maowenan@huawei.com>
		130	Signed-off-by: David S. Miller <davem@davemloft.net>
		131	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		132	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		133	---
		134	net/rds/tcp.c \| 2 +-
		135	1 file changed, 1 insertion(+), 1 deletion(-)
		136
		137	diff --git a/net/rds/tcp.c b/net/rds/tcp.c
		138	index d36effbf7614..2daba5316caa 100644
		139	--- a/net/rds/tcp.c
		140	+++ b/net/rds/tcp.c
		141	@@ -527,7 +527,7 @@ static void rds_tcp_kill_sock(struct net *net)
		142	list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
		143	struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
		144
		145	- if (net != c_net \|\| !tc->t_sock)
		146	+ if (net != c_net)
		147	continue;
		148	if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
		149	list_move_tail(&tc->t_tcp_node, &tmp_list);
		150	--
		151	2.20.1
		152